Method, apparatus and program for quantitative competition and recording medium having recorded thereon the program

Abstract

Numbers 1, 2, . . . , M are assigned to bidding prices from the minimum to maximum values V.sub.1 to V.sub.N. For a bidding value V.sub.vi each user 11-i generates two sequences of information s.sub.i={s.sub.i,1, s.sub.i,2, . . . , s.sub.i,M} and t.sub.i={t.sub.i,1, t.sub.i,2, . . . , t.sub.i,M} such that s.sub.i,1=t.sub.i,1, . . . , s.sub.i,vi-1, s.sub.i,vi.noteq.t.sub.i,vi, . . . , s.sub.i,M.noteq.t.sub.i,M, then secretly sends the two sequences of information s.sub.i and t.sub.i to quantitative competition apparatuses 15A and 15B, respectively, and sends hash values H1.sub.i=h(s.sub.i) and H2.sub.i=h(t.sub.i) of the two sequences of information s.sub.i and t.sub.i and a hash value h(V.sub.vi.parallel.r.sub.i) containing an intended value V.sub.vi to a bulletin board apparatus 21. The quantitative competition apparatuses 15A and 15B extract w-th elements s.sub.i,w from respective sequences s.sub.1 to s.sub.N and w-th elements t.sub.i,w from respective sequences t.sub.1 to t.sub.N, then create a concatenation Seq.sub.s,w of N elements s.sub.i,w and a concatenation Seq.sub.t,w of N elements t.sub.i,w, then compare them using a one-way function without revealing their values, and, if they differ, deciding that the intended value V.sub.vi equal to or smaller than a value V.sub.w is present, and determines the minimum value by changing w.

Description

BACKGROUND OF THE INVENTION

[0001] The present invention relates to a method and apparatus for quantitative competition that compare users' aimed or intended values online, for example, across the Internet while holding them in secrecy and specify the maximum or minimum one of the intended values and only the user having committed it as his intended value.

[0002] An example of the online quantitative competition is an "electronic sealed-bit auction scheme." With this scheme, the maximum or minimum value and the user having committed it as his intended value are specified, and techniques for holding other information in secret. This scheme is disclosed, for example, in Kobayashi and Morita, "Efficient sealed-bid auction with quantitative competition using one-way functions," ISEC99. Further, in H. Kikuchi, M. Harkavy and J. D. Tygar, "Multi-round anonymous auction protocols," IEEE Workshop on Dependable and Real-Time E-Commerce System, 1998, there is proposed a scheme that decides whether there is a user having committed his intended value equal to or greater than or smaller than a certain numerical value. The latter scheme has a disadvantage that when plural users have committed the maximum or minimum value as their intended values, those users cannot be specified and that they can detect a second highest or lowest numerical value.

SUMMARY OF THE INVENTION

[0003] It is therefore an object of the present invention to provide a method and apparatus that compare plural users' intended values online, specify the maximum or minimum one of the users' intended values with high security and efficiently and, if necessary, the user of the intended value corresponding to the specified value but keep the other users secret.

[0004] For M integral values to be compared, their upper- and lower-limit values V.sub.M and V.sub.1 are determined in advance. In this case, V.sub.k>V.sub.k-1, where k=2, 3, . . . , M. Incidentally, since the maximum and minimum values are specified by substantially the same method, the following description will be given only of the case of specifying the minimum value.

[0005] After determining his intended value V.sub.vi equal to or greater than V.sub.1 and equal to or smaller than V.sub.M, each user 11-i (where i=1, 2, . . . , M) generates in a user apparatus two M-element sequences of information s.sub.i and t.sub.i such that their elements corresponding to values equal to or greater than V.sub.1 and equal to or smaller than V.sub.vi are equal but other elements differ, and secretly sends the sequence of information s.sub.i to a first quantitative competition apparatus and the sequence of information t.sub.i to a second quantitative competition apparatus. With the sequence of information s.sub.i or t.sub.i alone, it is impossible to obtain information about the value V.sub.vi, and hence there is no possibility of the value V.sub.vi being available to any body and even to each quantitative competition apparatus.

[0006] After the sequences of information s.sub.i and t.sub.i (where i=1, 2, . . . , N) about all users' intended values are obtained, the minimum value is determined. It can be determined by any desired procedure. An efficient scheme will be described below. For example, in the first place, initial values of two variables w.sub.min and w.sub.max are set at 1 and M, respectively, the maximum integer equal to or greater than (w.sub.min+w.sub.max)/2=(1+M)/2 is set at w, and a check is made to see if there is a user whose intended value is equal to or smaller than V.sub.w. To perform this, the first quantitative competition apparatus extracts w-th elements s.sub.i,w from all users' sequences of information s.sub.i, and generates Seq.sub.s,w=s.sub.1,w.parallel.s.sub.2,w.parallel. . . . .parallel.S.sub.N,w (where .parallel. indicates the concatenation of data) in which the extracted elements are arranged in a predetermined order (for example, in the order of numbers pre-assigned to the users). The second quantitative competition apparatus extracts w-th elements t.sub.i,w from all users' sequences of information t.sub.i, and generates Seq.sub.t,w=t.sub.1,w.parallel.t.sub.2,w.parallel. . . . .parallel.t.sub.N,w in which the extracted elements are arranged in a predetermined order. Then, Seq.sub.s,w and Seq.sub.t,w are compared whether they are equal or not using one-way functions or encryption functions without revealing their values. If they differ from each other, it is decided that there is a user whose intended value is equal to or smaller than V.sub.w, then w is substituted for the variable w.sub.max, then Seq.sub.s,w and Seq.sub.t,w are similarly generated, and they are compared. If they are equal to each other, it is decided that there is no user whose intended value is equal to or smaller than V.sub.w, then w+1 is substituted for the variable w.sub.min, and the above manipulation is repeated until w.sub.min=w.sub.max (=MIN), by which the minimum value V.sub.MIN is determined.

[0007] When w.sub.min=w.sub.max=MIN is reached, Seq.sub.s,MIN and Seq.sub.t,MIN are made public so that every body can specify the user whose intended value is the minimum value V.sub.MIN.

BRIEF DESCRIPTION OF THE DRAWINGS

[0008] FIG. 1 is a diagram schematically illustrating an example of the entire system configuration of a first embodiment of the present invention;

[0009] FIG. 2 is a block diagram showing examples of main functional configurations of a user apparatus;

[0010] FIG. 3 is a flowchart showing the procedure for generating two sequences of information;

[0011] FIG. 4 is a block diagram showing examples of main functional configurations of a quantitative competition apparatus 15A;

[0012] FIG. 5 is a block diagram showing examples of main functional configurations of a quantitative competition apparatus 15B;

[0013] FIG. 6 is a diagram schematically depicting two sequences of information of respective pairs;

[0014] FIG. 7 is a flowchart showing the procedure for specifying the minimum value;

[0015] FIG. 8 is a block diagram depicting the functional configuration of a user apparatus in a second embodiment of the present invention;

[0016] FIG. 9 is a block diagram depicting the functional configuration of an information sequence generating part 33 in FIG. 8; and

[0017] FIG. 10 is a flowchart showing the procedure that is followed by the user apparatus in the second embodiment.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0018] Assume that the upper- and lower-limit integral values V.sub.M and V.sub.1 and a large prime P are already determined prior to quantitative competition. The prime number P is one that P-1 has a large prime factor as a divisor, that is, a prime that is used for a cryptosystem based on a discrete logarithm problem.

[0019] A description will be given of a first embodiment directed to a method with which it is possible to specify the lowest one of all bidders' intended values and the lowest bidder through use of two quantitative competition apparatuses, followed by a second embodiment that provides increased security in the above-mentioned quantitative competition method, and by a third embodiment that employs three quantitative competition apparatuses to ensure specifying the lowest one of all bidders' intended values and the lowest bidder even if one of the quantitative competition apparatuses goes down during operation.

[0020] First Embodiment

[0021] FIG. 1 illustrates in block form the entire system configuration of a first embodiment of the present invention, which comprises user apparatuses 13-1 to 13-N, quantitative competition apparatuses 15A and 15B, a bulletin board apparatus 21 and a database 23. The user apparatuses 13-1 to 13-N are each capable of communicating with the quantitative competition apparatuses 15A, 15B and the bulletin board apparatus 21 through a communication network, and the quantitative competition apparatuses 15A and 15B are capable of communicating with the bulletin board apparatus 21. Reference character Y indicates information read out of the bulletin board apparatus 21, to which the database 23 is connected. A quantitative competition apparatus 15C surrounded by the broken line is used in a third embodiment described later on.

[0022] Each user apparatus 13-i comprises, as depicted in FIG. 2, an input part 30, a random generating part 31, a storage part 32, an information sequence generating part 33, an encrypting part 34, a hash function calculating part 35, a transmitting part 36, a control part 37, a concatenating part 38, and a sharing part 39.

[0023] Each user 11-i (where i=1, 2, . . . , N) determines or chooses his or her aimed or intended integral value V.sub.vi in the range from V.sub.1 to V.sub.M, and inputs the integral value to the user apparatus 13-i via the input part 30 such as a keyboard. The information sequence generating part 33 generates two sequences of information of the same number M of elements, s.sub.i={s.sub.i,1, . . . s.sub.i,2, . . . , s.sub.i,M} and t.sub.i={t.sub.i,1, t.sub.i,2, . . . , t.sub.i,M} based on the input information V.sub.vi and a random number generated by the random generating part 31. The number M is indicative of the value that the each user is allowed to choose as the intended value from among V.sub.1 to V.sub.M; accordingly, a series of monotone increasing values V.sub.1 to V.sub.M have a one-to-one correspondence with the numbers 1 to M.

[0024] On choosing the intended value V.sub.vi, the user 11-i generates the two sequences of information s.sub.i and t.sub.i so that s.sub.i,1=t.sub.i,1, s.sub.i,2, . . . , s.sub.i,vi-1=t.sub.i,vi-1, s.sub.i,vi.noteq.t.sub.i,vi, s.sub.i,v+1, . . . , s.sub.i,M.noteq.t.sub.i- ,M. That is, s.sub.i and t.sub.i are generated so that the corresponding elements (information) in the range of from V.sub.1 to V.sub.vi are equal but that the corresponding elements in the range of from V.sub.vi to V.sub.M differ from each other.

[0025] FIG. 3 is a flowchart showing the procedure for generating such two sequences of information s.sub.i and t.sub.i.

[0026] Step S1: Generate vi-1 random numbers r.sub.1, r.sub.2, . . . , r.sub.(vi-1) each consisting of a predetermined number of bits, and divides these random numbers into two subsequnces s.sub.i,1, s.sub.i,2, . . . , s.sub.i,vi-1 and t.sub.i,1, t.sub.i,2, . . . , t.sub.i,vi-1 where s.sub.i,m=t.sub.i,m, m=1, 2, . . . , vi-1.

[0027] Step S2: Let m be vi.

[0028] Step S3: Generate two random numbers r.sub.s and r.sub.t.

[0029] Step S4: Compare the two random numbers, and if they are equal, then return to step S3.

[0030] Step S5: If the two random numbers differ from each other, set r.sub.s at s.sub.i,m and r.sub.t at t.sub.i,m and increment m by one.

[0031] Step S6: If m is smaller than M, then return of step S3.

[0032] Step S7: If m is not smaller than M in step S6, then concatenate the above-mentioned two subsequences s.sub.i,1, s.sub.i,2, . . . , s.sub.i,vi-1 and t.sub.i,1, t.sub.i,2, . . . , t.sub.i,vi-1 with s.sub.i,vi, s.sub.i,vi+1, . . . , s.sub.i,M and t.sub.i,vi, t.sub.i,vi+1, . . . , t.sub.i,M set by repeating steps S3 to S5, thereby obtaining two sequences of information s.sub.i={s.sub.i,1, s.sub.i,2, . . . , s.sub.i,M} and t.sub.i={t.sub.i,1, t.sub.i,2, . . . , t.sub.i,M}. The two sequences of information thus obtained are stored in the storage part 32 in FIG. 2.

[0033] The random generating part 31 generates random numbers R1.sub.i and R2.sub.i, and pairs of information (s.sub.i, R1.sub.i) and (t.sub.i, R2.sub.i) are sent secretly to the quantitative competition apparatuses 15A and 15B, respectively; for example, the pairs of information are encrypted with encryption functions E.sub.A and E.sub.B in the encrypting part 34 into encrypted sequences of information E.sub.A(s.sub.i.parallel.- R1.sub.i) and E.sub.B(t.sub.i.parallel.R2.sub.i) for transmission to the quantitative competition apparatuses 15A and 15B. The encryption functions E.sub.A and E.sub.B are public-key cryptofunctions that only the quantitative competition apparatuses 15A and 15B can decrypt, respectively. Further, the random generator 31 generates a random number r.sub.i as data that is used to verify the fairness of the minimum intended value V.sub.MIN described later on, and the concatenating part 38 generates V.sub.vi.parallel.r.sub.i that is a concatenation of the intended value V.sub.vi and the random number r.sub.i; furthermore, the sharing part 39 determines random information a.sub.i and b.sub.i such that r.sub.i=a.sub.i*b.sub.i (where * is an operator made public in advance). The operator * may be any operators that uniquely define the random number r.sub.i when the pieces of random information a.sub.i and b.sub.i are given, such as exclusive OR, subtraction, addition and so forth.

[0034] The hash function calculating part 35 calculates, by a hash function h, hash values H1.sub.i=h(s.sub.i.parallel.R1.sub.i) and H2.sub.i=h(t.sub.i.parallel.R2.sub.i) for concatenations of the respective sequences of information and the random numbers, s.sub.i.parallel.R1.sub.i and t.sub.i.parallel.R2.sub.i. The hash function calculating part 35 further calculates hash values h(a.sub.i), h(b.sub.i) and h(V.sub.vi.parallel.r.sub.i) of a.sub.i, b.sub.i and V.sub.vi.parallel.r.sub.i, and sends all of these values to the bulletin board apparatus 21. Incidentally, the minimum and maximum values V.sub.1 and V.sub.M, the two sequences of information s.sub.i and t.sub.i, the random numbers R1.sub.i and R2.sub.i, the intended value V.sub.vi, the random number r.sub.i and the random information a.sub.i and b.sub.i are stored in the storage part 32, from which they are sent by the transmitting part 36 to the quantitative competition apparatuses 15A, 15B and the bulletin board apparatus 21. The control part 37 controls reading from or writing to the storage part 32 and operations of the respective parts. The user apparatus 13-i may also be configured to execute programs by a computer.

[0035] Each user apparatus 13-i commits the intended value V.sub.vi by sending the hash values h(V.sub.vi.parallel.r.sub.i), H1.sub.i and H2.sub.i to the bulletin board apparatus 21 for publication as mentioned above. This means that each user registers V.sub.vi as his intended value without making it public. As a result, the intended value V.sub.vi is made unchangeable thereafter, and when a value equal to or larger than the intended value V.sub.vi is made public as the minimum value V.sub.MIN in the bulletin board apparatus 21 for some reason, each user apparatus makes public the pairs of information (s.sub.i, R1.sub.i) and (t.sub.i, R2.sub.i), or (V.sub.vi.parallel.r.sub.i) to indicate that the intended value V.sub.vi is equal to or smaller than the minimum value V.sub.MIN, thereby verifying that the published minimum value V.sub.MIN is cheating. It is for the reasons given below not to singly hash the information sequences s.sub.i and t.sub.i to be sent to the bulletin board apparatus 21 but instead to hash their concatenations with the random numbers R1.sub.i and R2.sub.i. That is, letting H1.sub.i=h(s.sub.i) and H2.sub.i=h(t.sub.i), if the number of bits of each element of the information sequences s.sub.i and t.sub.i are decreased for the purpose of reducing channel capacity and another user learns either one of the sequences of information s.sub.i and t.sub.i by some means, then the user could easily estimate the other information sequence (the knowledge of s.sub.i and t.sub.i may enable the user to know the value V.sub.vi); therefore, the above scheme is intended to prevent such leakage of the information sequences and hence provide increased security for the quantitative competition apparatuses 15A and 15B. In practice, however, the security may be diminished to some extent, and if the number of bits of each element is large, the random numbers R1.sub.i and R2.sub.i may be omitted.

[0036] The quantitative competition apparatuses 15A (and 15B) comprise, as shown in FIG. 4 (and FIG. 5), receiving parts 40A (40B), decrypting parts 37A (47B), storage parts 41A (41B), random generating parts 42A (42B), hash function calculating parts 43A (43B), modular exponentiation parts 44A (44B), transmitting parts 45A (45B), and control parts 46A (46B).

[0037] In the quantitative competition apparatus 15A the encrypted sequence of information E.sub.A(s.sub.i.parallel.R1.sub.i) received in the receiving part 40A is decrypted in the decrypting part 47A into s.sub.i.parallel.R1.sub.i (where i=1, . . . , N), and if necessary, the decrypted information s.sub.i.parallel.R1.sub.i is hashed in the hash function calculating part 43A to obtain a hash value h(s.sub.i.parallel.R1.sub.i); it is possible to verify that the hash value matches the value H1.sub.i made public in the bulletin board apparatus 21. The sequences of information s.sub.1 to s.sub.N and the random numbers R1.sub.1 to R1.sub.n are separated from the value s.sub.i.parallel.R1.sub.i and are stored in the storage part 41A. In the storage part 41A there is also prestored the afore-mentioned large prime P.

[0038] The bulletin board apparatus 21 stores information received from the user apparatuses 13-1 to 13-N and the quantitative competition apparatuses 15A and 15B in the data base 23, which is accessible from any apparatuses. In the quantitative competition processing the bulletin board apparatus 21 decides whether the pieces of information sent from the quantitative competition apparatuses 15A and 15B match each other, and based on the result of decision, updates the value w to be provided to the quantitative competition apparatuses 15A and 15B. Since the bulletin board apparatus 21 performs only such functions, their functional configurations are not shown.

[0039] Upon completion of transmission of the encrypted sequences of information E.sub.A(s.sub.i.parallel.R1.sub.i) and E.sub.B(s.sub.i.parallel.R1.sub.i) and the hash values H1.sub.i, H2.sub.i, h(V.sub.vi.parallel.r.sub.i), h(a.sub.i) and h(b.sub.i) from every user 13-i (where i=1, . . . , N), for example, the bulletin board apparatus 21 sends to the quantitative competition apparatuses 15A and 15B an initial value V.sub.w that is the maximum integer equal to or larger than (w.sub.min+w.sub.max)/2=(1+M)/2 where w.sub.min and w.sub.max are two integral variables and have their initial values set at 1 to M, respectively, the initial value V.sub.w being received in the receiving parts 40A and 40B. The quantitative competition apparatus 15A generates, as depicted in FIG. 4, a random number RA.sub.w in the random generating part 42A, then reads out of the storage part 41A those elements s.sub.i,w in the sequences of information s.sub.i received from all the user apparatuses 13 which correspond to the value w, and generates, by a sequence generator 48A, Seq.sub.t,w=t.sub.1,w.parallel.t.sub.2,w.parallel- . . . . .parallel.t.sub.N,w, which is a concatenation of the read-out elements arranged in the order of the users 11-1, 11-2, . . . , 11-N. The hash function calculating part 43A calculates a hash value HS.sub.w=h'(Seq.sub.t,w) for the element concatenation Seq.sub.t,w by a hash function h' and a hash value HA.sub.w=h(RA.sub.w.parallel.HS.sub.w), by a hash function h, for a concatenation RA.sub.w.parallel.HS.sub.w of the random number RA.sub.w and the hash value HS.sub.w produced by a concatenator 49A. The hash value HS.sub.w and the random number RA.sub.w are input to the modular exponentiation part 44A for calculating CA.sub.w=HS.sub.w.sup.RAw(mod P), and a pair (HA.sub.w, CA.sub.w) is sent from the transmitting part 45A to the bulletin board apparatus 21, wherein it is made public. The hash function h' is a one-way function that maps a given value over a finite field uniquely and randomly. The hash function h is a general-purpose function like SHA-1.

[0040] The quantitative competition apparatus 15B generates, as depicted in FIG. 5, a random number RB.sub.w in the random generating part 42B, then reads out of the storage part 41B those elements t.sub.i,w in the sequences of information t.sub.i received from all the user apparatuses 13 which correspond to the value w, and generates, by a sequence generator 48B, Seq.sub.t,w=t.sub.1,w.parallel.t.sub.2,w.parallel. . . .parallel.t.sub.N,w, which is a concatenation of the read-out elements arranged in the order of the users 11-1, 11-2, . . . , 11N. The hash function calculating part 43B calculates a hash value HT.sub.w=h'(Seq.sub.t,w) for the element concatenation Seq.sub.t,w by a hash function h' and a hash value HB.sub.w=h(RB.sub.w.parallel.HT.sub.w), by a hash function h, for a concatenation RB.sub.w.parallel.HT.sub.w of the random number RB.sub.w and the hash value HT.sub.w produced by a concatenator 49B. The hash value HT.sub.w and the random number RB.sub.w are input to the modular exponentiation part 44B for calculating CB.sub.w=HT.sub.w.sup.RBw(mod P), and a pair of values (HB.sub.w, CB.sub.w) is sent from the transmitting part 45B to the bulletin board apparatus 21, wherein it is made public.

[0041] Next, the quantitative competition apparatus 15A reads the information CB.sub.w made public by the bulletin board apparatus 21, then inputs it to the modular exponentiation part 44A, then calculates CB.sub.w.sup.RAw by the random number RA.sub.w, and sends the calculation result to the bulletin board apparatus 21. Similarly, the quantitative competition apparatus 15B also reads CA.sub.w=HS.sub.w.sup.RAw(mod P) made public by the bulletin board apparatus 21, then inputs it to the modular exponentiation part 44B to calculate CA.sub.w.sup.RBw=(HS.sub.w.s- up.RAw).sup.RBw(mod P), and sends the result of calculation to the bulletin board apparatus 21.

[0042] FIG. 6 schematically shows in vertical form the sequences of information s.sub.i and t.sub.i (where i=1, . . . , N) that each user apparatus 13-i generates in the information sequence generating part 33. In a given pair (s.sub.i,m, t.sub.i,m) of the corresponding elements in each pair of sequences of information s.sub.i={s.sub.i,1, s.sub.i,2, . . . , s.sub.i,m, . . . , s.sub.i,M} and t.sub.i={t.sub.i,1, t.sub.i,2, . . . , t.sub.i,m, . . . , t.sub.i,M}, the straight-line portions represent subsequences where s.sub.i,m=t.sub.i,m, and the zigzag portions represent subsequences where s.sub.i,m.noteq.t.sub.i,m. For example, when the value m=w passes through the straight-line portions of all pairs of sequences of information s.sub.i and t.sub.i as shown, (s.sub.i,w.parallel.s.sub.2,- w.parallel. . . . .parallel.s.sub.N,w)=(t.sub.i,w.parallel.t.sub.2,w.paral- lel. . . . .parallel.t.sub.N,w), that is, Seq.sub.s,w=Seq.sub.t,w, and consequently, it can be seen that h'(Seq.sub.s,w)=h'(Seq.sub.t,w), that is, HS.sub.w=HT.sub.w. However, if the value w is high enough to pass through the zigzag portions of at least one pair of sequences of information si and ti, the likelihood of HS.sub.w=HT.sub.w is negligibly little since (s.sub.i,w.parallel.s.sub.2,w.parallel. . . . .parallel.s.sub.N,w).noteq.(t.sub.i,w.parallel.t.sub.2,w.parallel. . . . .parallel.t.sub.N,w) Accordingly, HS.sub.w.noteq.HT.sub.w.

[0043] When HS.sub.w=HT.sub.w, the values (HT.sub.w.sup.RBw).sup.RAw(mod P) and (HS.sub.w.sup.RAw).sup.RBw(mod P) sent to the bulletin board apparatus 21 are equal to each other. Since P is a large prime and since P-1 has a large prime factor as its divisor, the likelihood of the values (HT.sub.w.sup.RBw).sup.RAw(mod P) and (HS.sub.w.sup.RAw).sup.RBw(mod P) being equal is negligibly little when HS.sub.w.noteq.HT.sub.w. Accordingly, when (HT.sub.w.sup.RBw).sup.RAw(mod P)=(HS.sub.w.sup.RAw).su- p.RBw(mod P), since s.sub.1,w=t.sub.1,w, s.sub.2,w=t.sub.2,w, . . . , s.sub.N,w=t.sub.N,w, it holds that s.sub.i,m=t.sub.i,m (where m=1, . . . , w) for each i and the intended value V.sub.vi is not included in first to w-th values V.sub.1 to V.sub.w among M values V.sub.1 to V.sub.M; therefore, the minimum intended value V.sub.MIN is not included. In other words, the minimum intended value is present in the range of (w+1)-th to M-th values. It can be seen that when (HT.sub.w.sup.RBw).sup.RAw(mod P).noteq.(HS.sub.w.sup.RAw).sup.RBw(mod P), the probability of the minimum intended value being present in the w-th and subsequent values is overwhelmingly high.

[0044] The bulletin board apparatus 21 makes the above comparison, then substitutes w+1 for the variable w.sub.min or w for the variable w.sub.max depending on whether (HT.sub.w.sup.RBw).sup.RAw(mod P) and (HS.sub.w.sup.RAw).sup.RBw(mod P) are equal or not, and repeats the above manipulation. After approximately log M rounds of manipulation, w.sub.max=w.sub.min (=MIN). In this instance, the MIN-th value V.sub.MIN in the range from V.sub.1 to V.sub.M is the minimum intended value.

[0045] FIG. 7 shows the procedure of searching for the minimum value described above.

[0046] Step S1: The bulletin board apparatus 21 initializes the variables w.sub.min and w.sub.max at 1 and M, respectively, then calculates the maximum integer w equal to or smaller than (w.sub.min+w.sub.max)/2, and sends the value w to the quantitative competition apparatuses 15A and 15B.

[0047] Step S2A: The quantitative competition apparatus 15A generates the element concatenation Seq.sub.s,w and the random number RA.sub.w, then calculates the hash values HS.sub.w=h'(Seq.sub.s,w) and HA.sub.w=h(RA.sub.w.parallel.HS.sub.w) and the modular exponent CA.sub.w=HS.sub.w.sup.RAw(mod P), and sends (HA.sub.w, CA.sub.w) to the bulletin board apparatus 21.

[0048] Step S2B: Similarly, the quantitative competition apparatus 15B also generates the element concatenation Seq.sub.t,w and the random number RB.sub.w, then calculates the hash values HT.sub.W=h'(Seq.sub.t,w) and HB.sub.w=h(RB.sub.w.parallel.HT.sub.w) and the modular exponent CB.sub.w=HT.sub.w.sup.RBw(mod P), and sends (HB.sub.w, CB.sub.w) to the bulletin board apparatus 21.

[0049] Step S3A: The quantitative competition apparatus 15A reads out CB.sub.w from the bulletin board apparatus 21, then calculates CB.sub.w.sup.RAwmod P=(HT.sub.w.sup.RBw).sup.RAwmod P, and sends it to the bulletin board apparatus 21.

[0050] Step S3B: The quantitative competition apparatus 15B reads out CA.sub.w from the bulletin board apparatus 21, then calculates CA.sub.w.sup.RBwmod P=(HS.sub.w.sup.RAw).sup.RBwmod P, and sends it to the bulletin board apparatus 21.

[0051] Step S4: The bulletin board apparatus 21 makes a check to determine if (HT.sub.w.sup.RBw).sup.RAwmod P and (HS.sub.w.sup.RAw).sup.RBwmod P match each other.

[0052] Step S5: If they match, the bulletin board apparatus 21 substitutes w.sub.min for w.sub.w+1.

[0053] Step S6: If they do not match, the bulletin board apparatus 21 substitutes w.sub.max for w.sub.w.

[0054] Step S7: A check is made to see if w.sub.max=w.sub.min, and if not, the procedure returns to step S1, followed by repeating steps S2A, S2B, S3A, S3B, S4, S5 and S6.

[0055] Step S8: If w.sub.max and w.sub.min are equal in step S7, then w.sub.min=MIN and the value corresponding to the number MIN, as the minimum intended value V.sub.min, are both made public. The quantitative competition apparatuses 15A and 15B send to the bulletin board apparatus 21 the element concatenations Seq.sub.s,MIN and Seq.sub.t,MIN corresponding to the number MIN, thereby making it possible to specify a user 11-j that the corresponding elements s.sub.j,MIN and t.sub.j,MIN in the two element concatenations differ from each other.

[0056] This means that the minimum intended value V.sub.MIN among the intended values V.sub.v1 to V.sub.vN of the users 11-1 to 11-N has been obtained. After detecting the minimum intended value V.sub.MIN the quantitative competition apparatuses 15A and 15B send to the bulletin board apparatus 21 Seq.sub.s,MIN, RA.sub.MIN, Seq.sub.t,MIN and RB.sub.MIN obtained when w.sub.min=w.sub.max=MIN. As a result, all the users 11-1 to 11-N are allowed to compare the corresponding elements s.sub.i,MIN and t.sub.i,MIN of the two element concatenations Seq.sub.s,MIN and Seq.sub.t,MIN for each i=1, . . . , N and learn that the user 11-j corresponding to the j-th portion containing information s.sub.j,MIN.noteq.t.sub.j,MIN has set the minimum intended value V.sub.MIN as his intended value V.sub.vj. With the order of arrangement of Seq.sub.s,MIN and Seq.sub.t,MIN known, it is possible to specify the above-mentioned j-th user 11-j determined in step S8.

[0057] In this embodiment the quantitative competition apparatus 15A receives from the user 11-i (where i=1, . . . , N) the random information a.sub.i that is r.sub.i=a.sub.i*b.sub.i, whereas the quantitative competition apparatus 15B receives the random information b.sub.i from the user 11-i. The bulletin board apparatus 21 receives h(a.sub.i), h(b.sub.i) and h(V.sub.vi.parallel.r.sub.i) from each user 11-i. Accordingly, if the. quantitative competition apparatus 15A happens to know the random number r.sub.i for every user prior to the search for the minimum intended value V.sub.MIN, V.sub.w=V.sub.vi that matches h(V.sub.vi.parallel.r.sub.i) made public can be found out by calculating h(V.sub.w.parallel.r.sub.i) sequentially from V.sub.1 to V.sub.M for each i, and consequently, the quantitative competition apparatus 15B detects the minimum intended value V.sub.MIN before the bulletin board apparatus 21 begins to search for the vale V.sub.MIN--this is undesirable from viewpoint of security. In the first embodiment, however, since the pieces of random information a.sub.i and b.sub.i that r.sub.i=a.sub.i*b.sub.i are provided separately to the quantitative competition apparatuses 15A and 15B, neither of them can singly search for the value V.sub.MIN.

[0058] After the detection of the minimum intended value V.sub.MIN the validity of the value made public in the bulletin board apparatus 21 can be verified as described below.

[0059] The values h(a.sub.j), h(b.sub.j) and h(V.sub.vj.parallel.r.sub.j) of the user 11-j are already made public. The quantitative competition apparatuses 15A and 15B respectively send the random information a.sub.j and b.sub.j to the bulletin board apparatus 21, in which they are made public. Each user apparatus 13-i uses the published values V.sub.vj=V.sub.MIN to calculate h(V.sub.MIN.parallel.a.sub.j*b.sub.j) and verifies whether h(V.sub.MIN.parallel.a.sub.j*b.sub.j)=h(V.sub.vj.paralle- l.r.sub.j). A mismatch means that the user 11-j, or the quantitative competition apparatus 15A or 15B has cheated. Then, the values h(a.sub.j) and h(b.sub.j) are calculated from a.sub.j and b.sub.j, and a check is made to determine whether they match the published values. If a mismatch is found, it can be decided that the quantitative competition apparatus has cheated which sent that one of the pieces of random information a.sub.j and b.sub.j which does not match the corresponding value. If the both values match the published values, it can be decided that the user 11-j having sent the published value h(V.sub.vj.parallel.r.sub.j) has cheated.

[0060] As described above, by determining the random information ai and bi such that r.sub.i=a.sub.i*b.sub.i and keeping h(a.sub.i), h(b.sub.i) and h(V.sub.vi.parallel.r.sub.i) public in the bulletin board apparatus 21, each user can verify the validity of the random information a.sub.j, b.sub.j sent from the quantitative competition apparatuses 15A and 15B to the bulletin board apparatus 21. This produces the same effect as is obtainable in the case where the user 11-i attaches his signature to the random information a.sub.i, b.sub.i to guarantee their validity as long as it is proved that the verification information h(a.sub.i), h(b.sub.i) made public by the bulletin board apparatus 21 is about the user 11-i; furthermore, this scheme has advantages that the computational complexity involved is less than in the case of using the signature scheme and that the user does not require any signature means. Incidentally, it is desired in terms of security the random number r.sub.i be sufficiently large.

[0061] In the first embodiment, a person who knows HT.sub.w may estimate HS.sub.w, and if it is correct, he can detect another user's intended value, but since P is a large prime and since P-1 has large prime factor as its divisor, it is difficult to calculate RA.sub.w of HS.sub.w.sup.RAwmod P; hence, it is impossible to determine whether the estimated value HS.sub.w is truly correct. Accordingly, every user cannot find out any other user's intended value.

[0062] By making RA.sub.MIN and RB.sub.MIN public at last and using them and the element concatenations Seq.sub.s,MIN and Seq.sub.t,MIN, it can be verified whether fair quantitative competitions have been made.

[0063] In the quantitative competition apparatuses 15A and 15B, reading from and writing to the storage parts 41A and 41B, processing of received information, transmission of various information via the transmitting parts 45A and 45B to respective apparatuses and the operations of the respective parts are laced under the control of the control parts 46A and 46B. The quantitative competition apparatuses 15A and 15B can also be functioned through executions of programs by a computer.

[0064] Though its functional configuration is not shown in particular, the bulletin board apparatus 21 is provided with a transmitting-receiving part for communication with each user apparatus and the quantitative competition apparatuses 15A and 15B, and stores received information in the database (FIG. 1). When requested, the bulletin board apparatus 21 reads out the requested information from the database 23 for transmission to the apparatus having made the request; furthermore, the apparatus 21 transmits and receives information necessary for the procedure of FIG. 7 and for its execution. The bulletin board apparatus 21 can also be functioned through execution of programs by a computer.

[0065] The first embodiment has been described above to determine the minimum value V.sub.MIN among all users' intended values V.sub.vi with the numbers 1 to M made to correspond with the values V.sub.1 to V.sub.M in ascending order, but by making the numbers 1 to M correspond with the values V.sub.1 to V.sub.M in descending order, the maximum value V.sub.MAX among all of the intended values V.sub.i can also be determined using the above-described algorithm intact. That is, letting vi represent the number corresponding to the intended value V.sub.vi, the two sequences of information s.sub.i and t.sub.i need only to be generated so that, for the numbers 1 to M, s.sub.i,w=t.sub.i,w or s.sub.i,w.noteq.t.sub.i,w depending on whether the number element w is equal to or greater than 1 but smaller than vi or equal to or greater than vi but smaller than M. In short, only by arranging the values V to V.sub.M upside down in FIG. 6, it can be seen that the determination of the number MIN which provides the minimum intended value V.sub.MIN is the same as the determination of the number MAX which provides the maximum intended value V.sub.MAX. That is, in the first embodiment described above, if the order of numbering the values V.sub.1 to V.sub.M is reversed to M to 1 and the number MIN is replaced with the number MAX, FIG. 7 will be the quantitative competition procedure of searching for the maximum intended value V.sub.MAX. This applies to the embodiments described later on.

[0066] Second Embodiment

[0067] In the above-described first embodiment, if a certain user 11-i conspires with either one of the two quantitative competition apparatuses, the user 11-i, though having committed the intended value V.sub.vi, could secretly abandon the game (withdrawal of his bidding). The abandonment of the game mentioned herein means that the user 11-i will not be determined to have committed the minimum V.sub.MIN (will not be a winning bidder) regardless of his committed intended value V.sub.vi, that is, irrespective of whether the value V.sub.vi is the minimum among all the users' intended values V.sub.v1, V.sub.v2, . . . , V.sub.vN.

[0068] For example, in the case where the user 11-i conspires with the quantitative competition apparatus 15B and, each time supplied with w from the bulletin board apparatus 21, embeds not the sequence element t.sub.i,w of the user 11-i but the value of the sequence element si w from the user 11-i in the element concatenation Seq.sub.t,w in step S2B of the FIG. 7 quantitative competition procedure to thereby alter the sequence s.sub.i,w.noteq.t.sub.i,w to s.sub.i,w t.sub.i,w, even if the intended value V.sub.vi of the user 11-i is the minimum value V.sub.MIN, the user 11-i will not be determined to have committed the minimum value V.sub.MIN in the search for the minimum value by the bulletin board apparatus 21 but instead any one of the other users will be determined to have committed the minimum value V.sub.MIN. Such a determination cannot be said to be fair. Since the afore-mentioned fairness verification scheme verifies h(V.sub.vj.parallel.r.sub.j) and h(a.sub.j.parallel.b.sub- .j) only for the intended value V.sub.vj determined as the minimum value V.sub.MIN and published and the user 11-j, it is impossible to detect the cheat by a conspiracy between the user 11-i and the quantitative competition apparatus 15B.

[0069] A description will be given below of a second embodiment adapted to prevent a cheat by such a conspiracy between a user and a quantitative competition apparatus.

[0070] The second embodiment features the method for generating the sequences of information s.sub.i and t.sub.i of each user 11-i in the first embodiment. In this embodiment, an m-th element of each of the M-element sequences s.sub.i={s.sub.i,1, . . . , s.sub.i,M} and t.sub.i={t.sub.i,1, . . . , t.sub.i,M} is generated based on information about all elements preceding the m-th element. Accordingly, in the case of the sequence s.sub.i,1, . . . , s.sub.i,M, if the m-th element s.sub.i,m is replaced with t.sub.i,m or some other value s'.sub.i,m, the element s'.sub.i,m is not based on the information about the elements s.sub.i,1, s.sub.i,2, . . . , s'.sub.i,m, . . . , s.sub.i,M preceding it, and the subsequent elements s.sub.i,m+1, . . . , s.sub.i,M are not based on the elements preceding the element s.sub.i,m, either, and consequently, such a malicious replacement can be detected. The second embodiment will be described below concretely.

[0071] FIG. 8 illustrates in block form the configuration of the user apparatus 13-i adapted for the quantitative competition according to the second embodiment. In this embodiment the concatenating part 38 and the sharing part 39 in the FIG. 2 configuration are removed and the information sequence generating part 33 has such a configuration as depicted in FIG. 9. The random generating part 31 generates, as in the FIG. 2 embodiment, the random numbers R1.sub.i and R2.sub.i, and further generates initial random numbers s.sub.i,M+1, t.sub.i,M+1, ca.sub.i and cb.sub.i. Based on these initial random numbers, the information sequence generating part 33 generates s.sub.i,M, s.sub.i,M-1, . . . , s.sub.i,1, s.sub.i,0 and t.sub.i,M, t.sub.i,M-1, . . . , t.sub.i,1 in a sequential order.

[0072] FIG. 9 shows an example of the configuration of the information sequence generating part 33, which is shown to comprise hash calculators 33-1A and 33-1B, concatenators 33-2A and 33-2B, hash calculators 33-3A and 33-3B, and a concatenator 33-4. The hash calculators 33-1A and 33-1B are supplied with the initial random numbers ca.sub.i and cb.sub.i, respectively, then calculate their hash values h(ca.sub.i) and h(cb.sub.i), and in the next and subsequent rounds of calculation repeats calculating hash values of the calculation results each time. The coneatenator 33-2A concatenates the past sequence of information si of the preceding rounds of calculation with the current outputs from the hash calculators 33-1A and 33-1B. The concatenator 33-2B concatenates the sequence of information ti of the preceding rounds of calculation with the current outputs from the hash calculators 33-1A and 33-1B. The hash calculators 33-3A and 33-3B calculate hash values of the outputs from the concatenators 33-2A and 33-2B, respectively, and output the hash values as the current sequence elements s.sub.i,m and t.sub.i,m. The outputs from the hash calculators 33-1A and 33-1B, which are input to the concatenators 33-2A and 33-2B for an m-th round of hash calculation by the hash calculators 33-3A and 33-3B, are the outputs by an (m+1)-th round of hash calculation.

[0073] In the process for generating the subsequences s.sub.i,m and t.sub.i,m that are not equal, the initial random numbers s.sub.i,M+1 and t.sub.i,M+1 are input as initial values of the sequences of information s.sub.i and t.sub.i to the concatenators 33-2A and 33-2B, then the first-round outputs from the hash calculators 33-1A and 33-1B are input to the both concatenators 33-2A and 33-2B, and the hash values output from these concatenators are provided as sequences s.sub.i and t.sub.i of information of the second and subsequent rounds of calculation to the concatenators 33-2A and 33-2B. Upon completion of the generation of the subsequences from m=M to m=v, the output s.sub.i,vi.parallel.t.sub.i,vi from the concatenator 33-4 for m=vi-1 corresponding to the intended value V.sub.vi is input as the sequences of information s.sub.i and t.sub.i to the concatenators 33-2A and 33-2B, respectively, and the concatenated outputs are provided to the hash calculators 33-3A and 33-3B for calculating their hash values. In this process, since the same sequence of information s.sub.i,vi.parallel.t.sub.i,vi as the outputs from the hash calculators 33-1A and 33-1B are provided to the both concatenators 33-2A and 33-2B, the outputs s.sub.i,m and t.sub.i,m from the hash calculators 33-3A and 33-3B for m=vi-1 are equal to each other.

[0074] Thereafter, the outputs s.sub.i,m and t.sub.i,m from the hash calculators 33-3A and 33-3B are input again as sequences of information to the concatenators 33-2A and 33-2B, and hash calculations are repeated sequentially for m=vi-2, vi-3, . . . , 0, by which the subsequence s.sub.i,m=t.sub.i,m is generated.

[0075] FIG. 10 is a flowchart of the procedure to be followed by the user apparatus 13-i in the second embodiment.

[0076] Step S1: Generate the initial random numbers R1.sub.i, R2.sub.i, ca.sub.i, cb.sub.i, s.sub.i,M+1 and t.sub.i,M+1.

[0077] Step S2: Set an initial value m at M, then sequentially calculate, for the element number vi corresponding to the intended value vi,

s.sub.i,m=h(s.sub.i,m+1.parallel.h.sup.M+1-m(ca.sub.i).parallel.h.sup.M+1-- m(cb.sub.i))

t.sub.i,m=h(t.sub.i,m+1.parallel.h.sup.M+1-m(ca.sub.i).parallel.h.sup.M+1-- m(cb.sub.i))

[0078] for m=M, M-1, . . . , vi, and store the calculation results as subsequences S.sub.i,m.noteq.t.sub.i,m.

[0079] Step S3: Calculate

s.sub.i,m=t.sub.i,m=h(s.sub.i,m+1.parallel.t.sub.i,m+1.parallel.h.sup.M+1-- m(ca.sub.i).parallel.h.sup.M+1-m(cb.sub.i))

[0080] for m=vi-1 and store it.

[0081] Step S4: Calculate

s.sub.i,m=t.sub.i,m=h(s.sub.i,m+1.parallel.h.sup.M+1-m(ca.sub.i).parallel.- h.sup.M+1-m(cb.sub.i))

[0082] sequentially for m=vi-2, vi-3, . . . , 0 and store it as subsequences s.sub.i,m=t.sub.i,m.

[0083] Step S5: Encrypt R1.sub.i and s.sub.i={s.sub.i,1, s.sub.i,2, . . . , s.sub.i,M}, then send the resulting E.sub.A(s.sub.i.parallel.R1.sub.i) to the quantitative competition apparatus 15A, then encrypt R2.sub.i and t.sub.i={t.sub.i,1, t.sub.i,2, . . . , t.sub.i,M}, and send the resulting E.sub.B(t.sub.i.parallel.R1.sub.i) to the quantitative competition apparatus 15B.

[0084] Step S6: Send H1.sub.i=h(s.sub.i.parallel.R1.sub.i), H2.sub.i=h(t.sub.i.parallel.R2.sub.i), s.sub.i,0, h.sup.M+1(ca.sub.i) and h.sup.M+1(cb.sub.i) to the bulletin board apparatus 21 for publication.

[0085] The quantitative competition processing, that is, the processing of searching for the minimum intended value V.sub.MIN, by the bulletin board apparatus 21 and the quantitative competition apparatuses 15A and 15B is the same as described previously with reference to FIG. 7.

[0086] After specifying the minimum value V.sub.MIN, the bulletin board apparatus 21 calculates the hash values h(ca.sub.i) and h(cb.sub.i) from the user apparatus 13-i (M+1-MIN) times to obtain h.sup.M+1-MIN(ca.sub.i) and h.sup.M+1-MIN(cb.sub.i) (where i=1, 2, . . . , N), which are made public. The validity of these values is guaranteed by verifying whether the values obtained by further calculating them MIN times match the published information h.sup.M+1(ca.sub.i) and h.sup.M+1(cb.sub.i). Moreover, since s.sub.i,MIN, t.sub.i,MIN, h.sup.M+1-MIN(ca.sub.i) and h.sup.M+1-MIN(cb.sub.i) of each user are made public by a winner (successful bidder) specifying phase, any user can equally calculate s.sub.i,0 by executing step S4 through utilization of the published information.

[0087] If the user 11-i and the quantitative competition apparatus 15A or 15B conspire to replace s.sub.i,w and t.sub.i,w for s.sub.i,MIN and t.sub.i,MIN as described previously, a value different from s.sub.i,0 is usually calculated. In other words, the replacement is detected. But this verification is inefficient on the order of MN that is the product of the choosable number M of intended values and the number N of users. However, since the primary object is to determine the winner and his intended value, this "fairness verification phase" of the loser is not essential, and in practice it needs only to be performed after completion of the protocol.

[0088] Third Embodiment

[0089] In the first and second embodiments two quantitative competition apparatuses and each user apparatus generates two sequences of information s.sub.i and t.sub.i. This embodiment uses three quantitative competition apparatuses, including the third quantitative competition apparatus 15C surrounded by the broken line in FIG. 1. Each user generates three sequences of information si, t.sub.i and u.sub.i in the same manner as in the afore-described embodiments such that s.sub.i,m=t.sub.i,m=u.sub.i,m for m=1, 2, . . . , vi-1 and s.sub.i,m.noteq.t.sub.i,m.noteq.u.sub.i,m for m=vi, vi+1, . . . , M where vi corresponds to the intended value V.sub.vi, and secretly sends each of them to one of the three quantitative competition apparatuses, and as is the case with the first embodiment, the quantitative competition processing is carried out by two quantitative competition apparatus and the bulletin board apparatus. In this instance, when one of the two quantitative competition apparatuses goes down, the third quantitative competition apparatus carries on the processing of the failing apparatus. This embodiment is identical in basic operation with the first embodiment, and hence it will be described with reference to the drawings showing the first embodiment.

[0090] The user 13-i (where i=1, 2, . . . , N) determines the intended integral value V.sub.vi equal to or greater than V.sub.1 and equal to or smaller than V.sub.M, and generates, by the information sequence generating part 33 in the user apparatus 13-i of FIG. 2, three sequences of information s.sub.i, t.sub.i and u.sub.i such that pieces of information corresponding to the values in the range from V.sub.1 to V.sub.vi-1 are all equal but pieces of information corresponding to the values in the range from V.sub.vi to V.sub.M are all different. Further, the user generates random numbers R1.sub.i, R2.sub.i, R3.sub.i and r.sub.i in the random generating part 31, and determines random information a.sub.i, b.sub.i and c.sub.i such that r.sub.i=a.sub.i*b.sub.i*c.sub.i. A pair of information (s.sub.i, R1.sub.i) and the information a.sub.i, a pair of information (t.sub.i, R2.sub.i) and the information b.sub.i, and a pair of information (u.sub.i, R3.sub.i) and the information c.sub.i are sent secretly (in encrypted form) to the quantitative competition apparatuses 15A, 15B and 15C, respectively. Moreover, hash values H1.sub.i=h(s.sub.i.parallel.R1.s- ub.i), H2.sub.i=h(.sub.t.parallel.R2.sub.i) and H3.sub.i=h(u.sub.i.paralle- l.R3.sub.i) of concatenations s.sub.i.parallel.R1.sub.i, t.sub.i.parallel.R2.sub.i and u.sub.i.parallel.R3.sub.i of the respective pairs are calculated using the hash function h; hash values h(a.sub.i), h(b.sub.i) and h(c.sub.i) of the random information and a hash value h(V.sub.i.parallel.r.sub.i) of the intended value V.sub.vi and the random number r.sub.i are calculated; and hash values h(a.sub.i), h(b.sub.i) and h(c.sub.i) of the random information and a hash value h(V.sub.i.parallel.r.sub.i) of the intended value V.sub.vi and the random number r.sub.i are calculated. These hash values are sent to the bulletin board apparatus 21, wherein they are made public.

[0091] Each user 11-i commits the value V.sub.vi by sending the hash values H1.sub.i, H2.sub.i, H3.sub.i and h(V.sub.i.parallel.r.sub.i) to the bulletin board apparatus 21 and making them public. As a result, the intended value is no longer changeable, and if a value larger than the intended value V.sub.vi is determined to be the minimum value for some reason, the user can prove, by making public at least two of three pairs of information (s.sub.i, R1.sub.i), (t.sub.i, R2.sub.i) and (u.sub.i, R3.sub.i), that his intended value is qualified as the minimum value. Assume that the random number r.sub.i can be calculated when two of three pairs of information are known.

[0092] Since the subsequent quantitative competition processing can be performed by the bulletin board apparatus 21 and two quantitative competition apparatuses as described previously with reference to the first embodiment, the FIG. 7 procedure is followed using two quantitative competition apparatuses, for example, 15A and 15B.

[0093] That is, the bulletin board apparatus 21 first sends the maximum integer w equal to or smaller than (w.sub.min+w.sub.max)/2=(1+M)/2 as an initial value to the both quantitative competition apparatuses 15A and 15B. The quantitative competition apparatus 15A generates a random number RA.sub.w, then extracts elements s.sub.i,w of the s.sub.i-sequences of information received from all user apparatuses, and generates an element concatenation Seq.sub.s,w=s.sub.1,w.parallel.s.sub.2,w.parallel. . . . .parallel.s.sub.N,w such that the extracted elements are arranged in the order of users 11-1, 11-2, . . . , 11-N. Further, the quantitative competition apparatus 15A calculates a hash value HS.sub.w=h'(Seq.sub.s,w- ) by the hash function h', a hash value HA.sub.w=h(RA.sub.w.parallel.HS.su- b.w) by the hash function h, and a modular exponent CA.sub.w=HS.sub.w.sup.RAw(mod P), and sends a pair of information (HA.sub.w, CA.sub.w) to the bulletin board 21. The quantitative competition apparatus 15B generates a random number RB.sub.w, then extracts elements t.sub.i,w of t.sub.i-sequences of information received from all the user apparatuses, then generates an element concatenation Seq.sub.t,w=t.sub.1,w.parallel.t.sub.2,w.parallel. . . . .parallel.t.sub.N, such that the extracted elements are arranged in the order of users 11-1, 11-2, . . . , 11-N, then calculates a hash value HT.sub.w=h'(Seq.sub.t,w) by the hash function h', a hash value HB.sub.w=h(RB.sub.w.parallel.HT.sub.w) by the hash function h, and a modular exponent CB.sub.w=HT.sub.w.sup.RBw(mod P), and sends a pair of information (HB.sub.w, CB.sub.w) to the bulletin board 21.

[0094] Next, the quantitative competition apparatus 15A reads the modular exponent CB.sub.w=HT.sub.w.sup.RBw(mod P) made public by the bulletin board apparatus 21, then calculates CB.sub.w.sup.RAwmod P=(HT.sub.w.sup.RBw).sup.RAw(mod P), and sends it to the bulletin board apparatus 21. The quantitative competition apparatus 15B reads the modular exponent CA.sub.w=HS.sub.w.sup.RAw(mod P) made public by the bulletin board apparatus 21, then calculates CA.sub.w.sup.RBwmod P=(HS.sub.w.sup.RAw).sup.RAw(mod P), and sends it to the bulletin board apparatus 21.

[0095] If HS.sub.w and HT.sub.w are equal, then (HT.sub.w.sup.RBw).sup.RAw- (mod P) and (HS.sub.w.sup.RAw).sup.RBw(mod P) are equal, and since P is a large prime and P-1 has a large prime factor as its divisor, there is little possibility that HS.sub.w and HT.sub.w differ and (HT.sub.w.sup.RBw).sup.RAw(mod P) and (HS.sub.w.sup.RAw).sup.RBw(mod P) become equal. Accordingly, it can be seen that when (HT.sub.w.sup.RBw).sup.RAw(mod P) and (HS.sub.w.sup.RAw).sup.RBw(mod P) are equal, the minimum intended value V.sub.MIN is equal to or greater than V.sub.w+1, whereas when they differ, the value V.sub.MIN equal to or smaller than V.sub.w. If they are equal, w+1 is substituted for the variable W.sub.min, and if they differ, w is substituted for the variable w.sub.max, after which the above manipulation is repeated. By repeating the manipulation about log M times, w.sub.max=W.sub.min(=MIN) is obtained. The value V.sub.MIN thus obtained is the minimum intended value. In the following description, MIN will be used as the element number corresponding to V.sub.MIN in the sequences of information s.sub.i and t.sub.i as in the case of FIG. 6.

[0096] After detecting the minimum intended value V.sub.MIN, the quantitative competition apparatuses 15A, 15B and 15C send a.sub.j, Seq.sub.s,MIN and RA.sub.MIN, b.sub.j, Seq.sub.t,MIN and RB.sub.MIN, and only c.sub.j, respectively, to the bulletin board apparatus 21, y which they are made public. By this, all the users can detect that the user corresponding to that common position of the two sequences holding different pieces of information is the user 11-j having committed V.sub.MIN as his intended value.

[0097] Suppose, for example, that the quantitative competition apparatus 15B goes down in the above process. Since the information possessed by the quantitative competition apparatus 15B and the information by the quantitative apparatus 15C are essentially identical, the latter can take over the operation of the former.

[0098] The fairness of the minimum intended value V.sub.MIN made public in the bulletin board apparatus 21 can be verified, for example, through utilization of such secret sharing techniques as disclosed in Shamir. A, "How to Share a Secret," Comm. Assoc. Comput. March., vol. 22, no. 11, pp.612-613 (November 1979). That is, for the values H(A.sub.j), H(B.sub.j) and H(C.sub.j) committed by the user, the user's committed values A.sub.j, B.sub.j and C.sub.j can be disclosed by the cooperation of at least two of the three quantitative competition apparatuses. That is, H(Vmin.parallel.A.sub.j*B.sub.j*C.sub.j) can be verified.

[0099] After sending the concatenation elements Seq.sub.s,MIN and Seq.sub.s,MIN from the quantitative competition apparatuses 15A and 15B to the bulletin board apparatus 21 for publication, that one of Seq.sub.s,z and Seq.sub.t,z (where z=1, 2, . . . , MIN) which was used for quantitative competition may be sent to the bulletin board apparatus 21 to reveal that V.sub.MIN is valid.

[0100] As described above, according to the present invention, the quantitative competition apparatuses 15A and 15B extract from the respective sequences s.sub.i and t.sub.i (where i=1, . . . , N) the elements s.sub.i,w and t.sub.i,w corresponding to the value w specified by the bulletin board apparatus 21, then create the element concatenations Seq.sub.s,w and Seq.sub.t,w with the extracted elements arranged in predetermined orders, then compare the element concatenations without revealing them, then decide whether there is a user having his intended value equal to or smaller than V.sub.w (equal to or greater than V.sub.w in the case of detecting the maximum value) depending on whether the concatenations are equal or different, and change the value w based on the result of decision. The quantitative competition apparatuses 15A and 15B need not always use the modular exponents CA.sub.w=HS.sub.w.sup.R- Aw(mod P) and CB.sub.w=HT.sub.w.sup.RBw(mod P), in which case they generate only HS.sub.w=h(Seq.sub.s,w) and HT.sub.w=h(Seq.sub.t,w) in steps S2A and 2B in FIG. 7, then send them to the bulletin board apparatus 21, and in step S4 compare them to decide whether they match each other. In this instance, however, if each element of the sequences s.sub.i and t.sub.i is simple-configured with one bit, for instance, then the element concatenation Seq.sub.s,w becomes simple, for example, (0.parallel.1.parallel.1.parallel.0.parallel.1.parallel.0.parallel.0). By producing the concatenation Seqs.sub.s,w of an arbitrary bit string and calculating its hash value, it becomes easy to find, by trial and error, a bit string that matches the published HS.sub.w=h(Seq.sub.s,w). Therefore, too much a simple element configuration is not preferable in terms of security. On the other hand, in the case of hiding the values HS.sub.w and HT.sub.w by concatenating them with the random numbers RA.sub.w and RB.sub.w, respectively, and hashing them as in the FIG. 7 embodiment, the 1-bit elements of the sequences s.sub.i and t.sub.i do not present any problem in terms of security. The 1-bit configuration of each element of the sequences s.sub.i and t.sub.i permits reduction of the amount of data for the encrypted information E.sub.A(s.sub.i.parallel- .R1.sub.i) and E.sub.B(t.sub.i.parallel.R2.sub.i) that are sent from the user apparatus to the quantitative competition apparatuses 15A and 15B--this provides the advantage of decreasing the channel capacity.

[0101] In the case of sending the hash values for verification use H1.sub.i=h(s.sub.i.parallel.R1.sub.i) and H2.sub.i=h(t.sub.i.parallel.R2.- sub.i) to the bulletin board apparatus 21, too, the random numbers R1i and R2i are intended to increase security, and hence they need not always to be used. Accordingly, the hash values can be sent as H1.sub.i=h(s.sub.i) and H2.sub.i=h(t.sub.i) to the bulletin board apparatus 21.

[0102] Further, the above embodiments have been described to use the one-way functions for comparing the element concatenations Seq.sub.s,w and Seq.sub.t,w without revealing their values, but it is also possible to encrypt the concatenations Seq.sub.s,w and Seq.sub.t,w by the same key and send the encrypted values to the bulletin board apparatus 21 for comparison.

[0103] In the first and third embodiments, for example, in the case of calculating the minimum value, it is possible to use a predetermined common one-way function for the two sequences of information s.sub.i and t.sub.i that are generated in the information sequence generating part 33 and determine seed values s'.sub.i and t'.sub.i that provide F.sup.d(s'.sub.i).noteq.F.sup.d(t'.sub.i) (where d=0, 1, . . . , M-vi) and F.sup.e(S'.sub.i).noteq.F.sup.e(t'.sub.i) (where e=M-vi+1, . . . , M-1) for the intended value. For example, F.sup.3(s'.sub.i)is a multi-function representing F(F(F(s'.sub.i))). Accordingly, the sequences of information s.sub.i and t.sub.i become as follows:

s.sub.i={s.sub.i,1=F.sup.M-1(s'.sub.i), s.sub.i,2=F.sup.M-2(s'.sub.i), . . . , s.sub.i,vi-1=F.sup.M-vi+1(s'.sub.i), s.sub.i,vi=F.sup.M-vi(s'.sub.i), . . . , s.sub.i,M-1=F(s'.sub.i), s.sub.i,M=s'.sub.i}

t.sub.i={t.sub.i,1=F.sup.M-1(t'.sub.i), t.sub.i,2=F.sup.M-2(t'.sub.i), . . . , t.sub.i,vi-1=F.sup.M-vi+1(t'.sub.i), t.sub.i,vi=F.sup.M-vi(t'.sub.i), . . . , t.sub.i,M-1=F(t'.sub.i), t.sub.i,M=s'.sub.i}

[0104] With this sequence generating scheme, when the seed values s'.sub.i and t'.sub.i, all the elements s.sub.i,1, . . . , s.sub.i,M and t.sub.i,1, . . . , t.sub.i,M can be calculated using the common one-way function. Accordingly, all the elements of the sequences of information s.sub.i and t.sub.i need not be incorporated in the encrypted sequences of information E.sub.A(s.sub.i.parallel.R1.sub.i) and E.sub.B(t.sub.i.parallel.R2.sub.i) that are sent from the user apparatus to the quantitative competition apparatuses 15A and 15B, but instead by sending the encrypted sequences of information with only seed values s'.sub.i and t'.sub.i incorporated therein, that is, E.sub.A(s'.sub.i.parallel.R1.sub.i) and E.sub.B(t'.sub.i.parallel.R2.sub.- i), the quantitative competition apparatuses 15A and 15B can generate the sequences of information s.sub.i and t.sub.i from the seed values s'.sub.i and t'.sub.i through utilization of the common one-way function F.

[0105] A description will be given of how to determine the multi-function F(x) for generating the sequences of information s.sub.i and t.sub.i based on the seed values s'.sub.i and t'.sub.i and the seed values.

[0106] The user apparatus 11-i calculates primes p and q of proper sizes and calculates a composite number n=p*q. The composite number n is one that us used in the RSA cryptosystem based on the factoring problem. From the security point of view, it is preferable that the primes p and q have sizes of about 512 or 1024 bits and that p-1 and q-1 have large prime factors.

[0107] Then, the user apparatus 11-i generates random numbers ak of values in the range of between 0 to n-1 for k=0 to m, and creates a polynomial

F(x)=a.sub.m*x.sup.m+a.sub.m-1*x.sup.m-1+ . . . +a.sub.1*x+a.sub.0.

[0108] Next, the user apparatus 11-i generates random numbers s'.sub.i and t'.sub.i of values in athe range of between 0 and n-1, and set them as the seed values. After this, the user apparatus finds out a collision with F(x) mod n, for example, by such a scheme as described below.

[0109] Step 1: calculate F.sup.u(s'.sub.i)mod n for u=1, 2, . . . , c, and stores the results of sequential calculations F(s'.sub.i), F.sup.2(s'.sub.i), . . . , Fc(s'.sub.i), where c is a parameter that the user determines and F.sup.u(x) is a u-fold multi-function.

[0110] Step 2: Set flag=0, v=0 and mx--c', where c' is a parameter that the user determines.

[0111] Step 3: Calculates Fv(t'i)mod n, then stores the result of calculation, then makes a check to see if the calculated value matches any one of the values F(s'i), F.sup.2(s'i), . . . , Fc(s'i) stored in step 1, and if any, set flag=i.

[0112] Step 4: If flag=1 or v=c', discontinue the procedure, or if not, increment v by one and return to step S3.

[0113] In this case, the final state of flag=1 is equivalent to the detection of a collision. In general, however, since F(x) mod n covers a wide range (approximately 1024 or 2048 bits), it is expected that the collision will not readily be found. By selecting a natural number n' smaller than n and replacing the original output F(x) mod n with (F(x) mod n) mod n' so as to reduce the value of F(x) mod n to a narrow range, the collision could be detected with more ease. In this case, for example, (35 mod 15) mod 3 is 5 mod 3=2. At any rate, the following description will be given on the assumption that the collision has been detected.

[0114] Assuming that F.sup.u'-1(s'.sub.i).noteq.F.sup.v'-1(t'.sub.i), F.sup.u'(s'.sub.i)=F.sup.v'(t'.sub.i), and the intended value V.sub.vi is w-th counted from the minimum value V.sub.1, the sequences of information s.sub.i and t.sub.i can be constructed if M-w+1.ltoreq.u' and M-w+1.ltoreq.v'. That is, the sequences of information need only to be set as follows:

s.sub.i={s.sub.i,1=F.sup.u'+w-2(s'.sub.i), . . . , s.sub.i,w=F.sup.u'-1(s'- .sub.i), . . . , s.sub.i,M=F.sup.u'+w-M-1(s'.sub.i)}

t.sub.i={t.sub.i,1=F.sup.u'+w-2(t'.sub.i), . . . , t.sub.i,w=F.sup.u'-1(t'- .sub.i), . . . , t.sub.i,M=F.sup.u'+w-M-1(t'.sub.i)}

[0115] Incidentally, the reason for which the composite number n, relying on the factoring problem, is used in mod n is to inhibit easy factorization of a polynomial F'(x)=F(x)/(x-x') when the constant x' is present. For example, noting an element Si,k of the sequence of information si, it can be seen that the intended value of the user 11-i is not Vk when there is present only one z that satisfies F(z)=s,kmod n.

[0116] With the above-mentioned collision search scheme, since there is a fear of leakage of information about the intended value, care should be taken in choosing the number n'. Conversely, when the conditions of the sequences of information s.sub.i and t.sub.i are not met, collision search steps 1 to 4 need only to be performed again.

[0117] A hash function may be used as the function F(x). In such an instance, too, it is expected that the collision cannot readily be detected, but by reducing the output to a narrow range by the above-described scheme, the collision can be detected with ease. In some cases, however, it may become necessary to pad the input in association with the size of the output to be reduced.

[0118] With the method of sending only the seed value as described above, it is possible to reduce the channel capacity and communication time for sending the sequence of information to each quantitative competition apparatus. Further, even if the number M of values choosable as the intended value V.sub.vi is increased, the channel capacity remains unchanged since only the seed value is sent. On the other hand, in the case of using random numbers to generate the sequences of information as in the first embodiment, as the number M of values choosable as the intended value, the number of elements of each sequence of information increases accordingly, causing an increase in the channel capacity.

[0119] In the case of calculating the maximum value, too, all the elements of each sequence of information may be generated from the seed value through the use of the one-way function.

[0120] While the above embodiments determine the minimum value V.sub.MIN among all of the users' intended values V.sub.vi, the maximum intended value V.sub.MAX can similarly be determined. In this instance, the two sequences of information s.sub.i and t.sub.i are adapted so that they differ in the information corresponding to the values equal to or greater than V.sub.1 and equal to or smaller than V.sub.vi and that they are common in the information corresponding to the values equal to or greater than V.sub.vi+1 and equal to or smaller than V.sub.M. Further, in the comparisons between Seq.sub.s,w and Seq.sub.t,w, between HS.sub.w=h'(Seq.sub.s,w) and HT.sub.w=h'(Seq.sub.t,w) and between (HT.sub.w.sup.RBw).sup.RAwmod P and (HS.sub.w.sup.RAw).sup.RBwmod P which correspond to the chosen value w, if they differ, it is judged that there is a user who has committed his intended value equal to or larger than V.sub.w, and if they equal, it is judged that there is no user who has committed his intended value equal to or larger than V.sub.w. When they equal, w-1 is substituted for W.sub.max, and when they differ, w is substituted for w.sub.min, after which the same processing as described above needs only to be repeated.

[0121] By determining the value w in the manner described above, the minimum or maximum value can be calculated efficiently, but the quantitative competition may also be conducted, for example, by sequentially changing the value w from the value V.sub.1 or V.sub.M. Moreover, it is also possible that one quantitative competition apparatus determines the first value of w, sends it via the bulletin board apparatus 21 to the other quantitative competition apparatus, then receives necessary information from the bulletin board apparatus 21, and performs the processing shown in FIG. 7.

[0122] Effect of the Invention

[0123] As described above, the present invention permits implementation of a highly invulnerable quantitative competition method in which simply by sending from the user the information about his intended value to each quantitative competition apparatus and the bulletin board apparatus only once, the maximum or minimum value can be specified efficiently and, if necessary, only the user having committed the maximum or minimum value as his intended value can be specified.

Claims

What is claimed is:

1. A quantitative competition method in which the minimum one V.sub.MIN of all users' intended values V.sub.vi selected from among M monotone increasing values V.sub.w, where w=1, 2, . . . , M, in the range of predetermined lower-limit and upper-limit values V.sub.1 and V.sub.M and only a user j having selected said minimum value W.sub.MIN as his intended value are specified by a plurality of user apparatuses i, where i=1, . . . , N, said N being an integer equal to or larger than 2, first and second quantitative competition apparatuses, and a bulletin board apparatus that makes public information received from said plurality of user apparatuses and said first and second quantitative competition apparatuses, said method comprising: Step (a) wherein each of said user apparatuses i: responds to said intended value V.sub.vi input from one of said all users to generate two M-element sequences of information s.sub.i and t.sub.i whose corresponding elements equal at values in the range from said lower-limit value V.sub.1 or larger to said intended value V.sub.vi or smaller and differ at values in the range from said intended value V.sub.vi or larger to said upper-limit value V.sub.M or smaller; and secretly sends information about said two M-element sequences of information s.sub.i and t.sub.i to said first and second quantitative competition apparatuses, respectively, said M representing the number of values selectable as said intended values in the range from said lower-limit value V.sub.1 or larger to said upper-limit value V.sub.M or smaller; Step (b) wherein said first quantitative competition apparatus: extracts, for a given value V.sub.w equal to or larger than said lower-limit value V.sub.1 and equal to or smaller than said upper-limit value, those elements s.sub.i,w of said M-element sequences of information s.sub.i sent from said all user apparatuses which correspond to w; and generates an element concatenation Seq.sub.s,w=s.sub.1,w.parall- el.s.sub.2,w.parallel. . . . .parallel.s.sub.N,w in which said extracted elements s.sub.i,w are arranged in a predetermined order, said .parallel. representing the concatenation of data; Step (c) wherein said second quantitative competition apparatus: extracts, for said given value V.sub.w, those elements t.sub.i,w of said M-element sequences of information t.sub.i sent from said all user apparatuses which correspond to said value w; and generates an element concatenation Seq.sub.t,w=t.sub.i,w.parallel.t.sub.2,w.parallel. . . . .parallel.t.sub.N,w in which said extracted elements t.sub.i,w are arranged in a predetermined order; Step (d) wherein said bulletin board apparatus: compares said element concatenations Seq.sub.s,w and Seq.sub.t,w without revealing their values; decides the presence or absence of a user having selected his intended value equal to or smaller than said value V.sub.w, depending on whether said concatenations Seq.sub.s,w and Seq.sub.t,w differ or equal; determines the minimum intended value V.sub.MIN by changing said value w based on said decision and makes the value MIN public; and Step (e) wherein said first and second quantitative competition apparatuses send element concatenations Seq.sub.s,MIN and Seq.sub.t,MIN, respectively, to said bulletin board apparatus to make them public, whereby allowing each user to identify user j who committed the minimum intended value V.sub.MIN by finding j which satisfies s.sub.j,MIN.noteq.t.sub.j,MIN of the corresponding elements in said element concatenations Seq.sub.s,MIN and Seq.sub.t,MIN.

2. The method of claim 1, wherein: said Step (a) includes: a step wherein said user apparatus of said each user i generates random numbers R1.sub.i and R2.sub.i secretly send a pair of information (R1.sub.i, s.sub.i) to said first quantitative competition apparatus and a pair of information (R2.sub.i, t.sub.i) to said second quantitative competition apparatus; and a step wherein said user apparatus calculates hash values H1.sub.i=h(R1.sub.i.parallel.s.sub.i) and H2.sub.i=h(R2.sub.i.parallel.t.- sub.i) of concatenations R1.sub.i.parallel.s.sub.i and R2.sub.i.parallel.t.sub.i of said pairs of information (R1.sub.i, s.sub.i) and (R2.sub.i, t.sub.i) by a hash function h, and sends said hash values H1.sub.i and H2.sub.i to said bulletin board apparatus; and said Step (d) includes a step wherein said bulletin board apparatus makes public said hash values H1.sub.i and H2.sub.i, where i=1, 2, . . . , N, as commitments of said all users.

3. The method of claim 2, wherein: said Step (b) includes a step wherein said first quantitative competition apparatus: calculates a hash value HS.sub.w=h(Seq.sub.s,w) of said element concatenation Seq.sub.s,w by said hash function h; and sends said hash value HS.sub.w to said bulletin board apparatus; said Step (c) includes a step wherein said second quantitative competition apparatus: calculates a hash value HT.sub.w=h(Seq.sub.t,w) of said element concatenation Seq.sub.t,w by said hash function h; and sends said hash value HT.sub.w to said bulletin board apparatus; and said Step (d) includes a step wherein said bulletin board apparatus: makes public and compares said hash values HS.sub.w and HT.sub.w received from said first and second quantitative competition apparatuses; decides the presence or absence of a user having selected his intended value equal to or smaller than said value V.sub.w, depending on whether said hash values HS.sub.w and HT.sub.w differ or equal; and determines said minimum intended value V.sub.MIN by changing said value w based on said decision.

4. The method of claim 2, wherein: said first and second quantitative competition apparatuses have stored therein a prime P made public previously by said bulletin board apparatus, said prime P being a prime such that P-1 has a large prime as its divisor, and said first and second quantitative competition apparatuses having selected a common integral value w; said Step (b) includes a step wherein said first quantitative competition apparatus: calculates a hash value HS.sub.w=h'(Seq.sub.s,w) of said element concatenation Seq.sub.s,w by a hash function h' that maps an arbitrary integer over a finite field uniquely and randomly; generates a random number RA,; calculates a hash value HA.sub.w=h(RA.sub.w.parallel- .HS.sub.w) of a concatenation RA.sub.w.parallel.HS.sub.w by said hash function h; calculates HS.sub.w.sup.RAw(mod P); and sends a pair (HA.sub.w, HS.sub.w.sup.RAw(mod P)) of said hash value HA.sub.w and said value HS.sub.w.sup.RAw(mod P) to said bulletin board apparatus; said Step (c) includes a step wherein said second quantitative competition apparatus: calculates a hash value HT.sub.w=h'(Seq.sub.t,w) of said element concatenation Seq.sub.t,w by a hash function h'; generates a random number RB.sub.w; calculates a hash value HB.sub.w=h(RB.sub.w.paral- lel.HT.sub.w) of a concatenation RB.sub.w.parallel.HT.sub.w by said hash function h; calculates HT.sub.w.sup.RBw(mod P); and sends a pair (HB.sub.w, HT.sub.w.sup.RBw(mod P)) of said hash value HB.sub.w and said value HT.sub.w.sup.RBw(mod P) to said bulletin board apparatus; and said Step (d) includes: a step wherein said first quantitative competition apparatus reads said HT.sub.w.sup.RBw(mod P) from said bulletin board apparatus, and calculates and sends (HT.sub.w.sup.RBw).sup.RAw(mod P) to said bulletin board apparatus; a step wherein said second quantitative competition apparatus reads said HS.sub.w.sup.RAw(mod P) from said bulletin board apparatus, and calculates and sends (HS.sub.w.sup.RAw).sup.RBw(mod P) to said bulletin board apparatus; and a step wherein said bulletin board apparatus: makes public and compares said (HS.sub.w.sup.RAw).sup.RBw(mod P) and (HT.sub.w.sup.RBw).sup.RAw(mod P) received from said first and second quantitative competition apparatuses; decides the presence or absence of a user having selected his intended value equal to or smaller than said value V.sub.w, depending on whether said (HS.sub.w.sup.RAw).sup.RBw(mod P) and (HT.sub.w.sup.RBw).sup.RAw(mod P) differ or equal; and determines said minimum intended value V.sub.MIN by changing said value w based on said decision.

5. The method of claim 3 or 4, wherein: letting w.sub.min and w.sub.max represent variables, said first and second quantitative competition apparatuses have said value w in common as the maximum integer equal to or smaller than (w.sub.min+w.sub.max)/2=(1+M)/2 where w.sub.min=1 and w.sub.max=M; and said Step (d) includes a step wherein: w is substituted for said variable w.sub.max or w+1 is substituted for said variable w.sub.min, depending on the presence or absence of a user having selected his intended value equal to or smaller than said value V.sub.w; said Steps (b) and (c) are repeated until w.sub.max=w.sub.min=MIN to obtain said minimum intended value V.sub.MIN corresponding to said value MIN; and upon each repetition of said Steps (b) and (c), said bulletin board apparatus makes public the results of calculation.

6. The method of claim 4, wherein each element of said M-element sequences of information s.sub.i and t.sub.i is a one-bit element.

7. The method of claim 4 or 6, said step (e) further comprising a step wherein said first and second quantitative competition apparatus send said bulletin board apparatus random numbers RA.sub.MIN and RB.sub.MIN and make them public.

8. The method of any one of claims 1 to 4, wherein: L quantitative competition apparatuses are provided, said L being equal to or larger than 3; said Step (a) includes a step wherein when supplied with said value V.sub.vi, said each user apparatus generates L sequences of information S.sub.ik, where k=1, 2, . . . , L, said L sequences of information S.sub.ik being such that they are equal in all pieces of information corresponding to values equal to or greater than V.sub.1 and equal to or smaller than V.sub.vi but different in all pieces of information corresponding to values equal to or larger than V.sub.vi and equal to or smaller than V.sub.M and such that said value V.sub.vi can be detected when at least two sequences s.sub.ia and s.sub.ib of said L sequences of information s.sub.ik are known, where a.noteq.b; and said each user apparatus sends said L sequences of information s.sub.ik to a k-th quantitative competition apparatus; and wherein two of said L quantitative competition apparatuses conduct quantitative competition, and when one of said two quantitative competition apparatuses goes down, another normal one of the remaining quantitative competition apparatuses is used to continue said quantitative competition.

9. The method of claim 1, wherein said Step (a) includes a step wherein: said each user apparatus secretly sends seed values s'.sub.i and t'.sub.i as information corresponding to said two sequences of information s.sub.i and t.sub.i to said first and second quantitative competition apparatuses, respectively; letting vi represent the element number corresponding to said intended value V.sub.vi, said seed values s'.sub.i and t'.sub.i are determined by a one-way function F so that F.sup.d(s'.sub.i)=F.sup.d(t'.sub.i), where d=0, 1, . . . , M-vi, and F.sup.e(s'.sub.i)=F.sup.e(t'.sub.i), where e=M-vi+1, . . . , M-1; and said two sequences of information s.sub.i and t.sub.i are given by the following equations s.sub.i={s.sub.i,1=F.sup.M-1(s'.sub.i), s.sub.i,2=F.sup.M-2(s'.sub.i), . . . , s.sub.i,vi-1=F.sup.M-vi+1(s'.sub.i- ), s.sub.i,vi=F.sup.M-vi(s'.sub.i), . . . , s.sub.i,M-1=F(s'.sub.i), s.sub.i,M=s'.sub.i} and t.sub.i={t.sub.i,1=F.sup.M-1(t'.sub.i), t.sub.i,2=F.sup.M-2(t'.sub.i), . . . , t.sub.i,vi-1=F.sup.M-vi+1(t'.sub.i- ), t.sub.i,vi=F.sup.M-vi(t'.sub.i), . . . , t.sub.i,M-1=F(t'.sub.i), t.sub.i,M=s'.sub.i}.

10. The method of claim 1, wherein said Step (a) includes: a step wherein said each user apparatus generates initial random numbers R1.sub.i, R2.sub.i, ca.sub.i, cb.sub.i, s.sub.i,M+1 and t.sub.i,M+1; and a step wherein said each user apparatus: sets an initial value of m at M, and performs, with respect to the element number vi corresponding to said intended value V.sub.vi, the following calculations s.sub.i,m=h(s.sub.i,m+1.parallel.h.sup.M+1-m(ca.sub.i).parallel.h.sup.M+1- -m(cb.sub.i)) and t.sub.i,m=h(t.sub.i,m+1.parallel.h.sup.M+1-m(ca.sub.i).p- arallel.h.sup.M+1-m(cb.sub.i)) sequentially for m=M, M-1, . . . , vi to provide subsequences s.sub.i,m.noteq.t.sub.i,m; calculates a sequence element for m=vi-1 s.sub.i,m=t.sub.i,m=h(s.sub.i,m-1.parallel.t.sub.i,m-1- .parallel.h.sup.M+1-m(ca.sub.i).parallel.h.sup.M+1-m(cb.sub.i)) and a sequence element for m=vi-2, vi-3, . . . , 0 s.sub.i,m=t.sub.i,m=h(s.sub.- i,m-1.parallel.h.sup.M+1-m(ca.sub.i).parallel.h.sup.M+1-m(cb.sub.i)) to provide subsequences s.sub.i,m=t.sub.i,m; and obtains sequences of said elements s.sub.i,m and t.sub.i,m as said sequences of information s.sub.i and t.sub.i, and a value s.sub.i,0 for m=0; and wherein said Step (a) further includes: a step wherein said each user apparatus encrypts R1.sub.i and s.sub.i={s.sub.i,1, s.sub.i,2, . . . , s.sub.i,M} by an encryption function E.sub.A, sends the resulting E.sub.A(s.sub.i.parallel- .R1.sub.i) to said first quantitative competition apparatus, encrypts R2.sub.i and t.sub.i={t.sub.i,1, t.sub.i,2, . . . , t.sub.i,M} by an encryption function E.sub.B, and sends the resulting E.sub.B(t.sub.i.parallel.R2.sub.i) to said second quantitative competition apparatus; and a step wherein said each user apparatus sends H1.sub.i=h(s.sub.i.parallel.R1.sub.i), H2.sub.i=h(t.sub.i.parallel.R2.sub- .i), s.sub.i,0, h.sup.M+1(ca.sub.i) and h.sup.M+1(cb.sub.i) to said bulletin board to make them public.

11. A quantitative competition method in which the maximum one V.sub.MAX of all users' intended values V.sub.vi selected from among M monotone increasing values V.sub.w, where w=1, 2, . . . , M, in the range of predetermined lower-limit and upper-limit values V.sub.1 and V.sub.M and only a user j having selected said maximum value W.sub.MAX as his intended value are specified by a plurality of user apparatuses i, where i=1, . . . , N, said N being an integer equal to or larger than 2, first and second quantitative competition apparatuses, and a bulletin board apparatus that makes public information received from said plurality of user apparatuses and said first and second quantitative competition apparatuses, said method comprising: Step (a) wherein each of said user apparatuses i: responds to said intended value V.sub.vi input from one of said all users to generate two M-element sequences of information s.sub.i and t.sub.i whose corresponding elements equal at values in the range from said lower-limit value V.sub.1 or larger to said intended value V.sub.vi or smaller and differ at values in the range from said intended value V.sub.vi or larger to said upper-limit value V.sub.M or smaller; and secretly sends information about said two M-element sequences of information s.sub.i and t.sub.i to said first and second quantitative competition apparatuses, respectively, said M representing the number of values selectable as said intended values in the range from said lower-limit value V.sub.1 or larger to said upper-limit value V.sub.M or smaller; Step (b) wherein said first quantitative competition apparatus: extracts, for a given value V.sub.w equal to or larger than said lower-limit value V.sub.1 and equal to or smaller than said upper-limit value, those elements s.sub.i,w of said M-element sequences of information s.sub.i sent from said all user apparatuses which correspond to w; and generates an element concatenation Seq.sub.s,w=s.sub.1,w.parall- el.s.sub.2,w.parallel. . . . .parallel.s.sub.N,w in which said extracted elements s.sub.i,w are arranged in a predetermined order, said .parallel. representing the concatenation of data; Step (c) wherein said second quantitative competition apparatus: extracts, for said given value V.sub.w, those elements t.sub.i,w of said M-element sequences of information t.sub.i sent from said all user apparatuses which correspond to said value w; and generates an element concatenation Seq.sub.t,w=t.sub.1,w.parallel.t.sub.2,w.parallel. . . . .parallel.t.sub.N,w in which said extracted elements t.sub.i,w are arranged in a predetermined order; Step (d) wherein said bulletin board apparatus: compares said element concatenations Seq.sub.s,w and Seq.sub.t,w without revealing their values; decides the presence or absence of a user having selected his intended value equal to or larger than said value V.sub.w, depending on whether said concatenations Seq.sub.s,w and Seq.sub.t,w differ or equal; determines the maximum intended value V.sub.MAX by changing said value w based on said decision and makes the value MAX public; and Step (e) wherein said first and second quantitative competition apparatuses send element concatenations Seq.sub.s,MAX and Seq.sub.t,MAX, respectively, to said bulletin board apparatus to make them public, whereby allowing each user to identify user j who committed the maximum intended value V.sub.MAX by finding j which satisfies s.sub.j,MAX.noteq.t.sub.j,MAX of the corresponding elements in said element concatenations Seq.sub.s,MAX and Seq.sub.t,MAX.

12. The method of claim 11, wherein: said Step (a) includes: a step wherein said user apparatus of said each user i generates random numbers R1.sub.i and R2.sub.i secretly send a pair of information (R1.sub.i, s.sub.i) to said first quantitative competition apparatus and a pair of information (R2.sub.i, t.sub.i) to said second quantitative competition apparatus; and a step wherein said user apparatus calculates hash values H1.sub.i=h(R1.sub.i.parallel.s.sub.i) and H2.sub.i=h(R2.sub.i.parallel.t.- sub.i) of concatenations R1.sub.i.parallel.s.sub.i and R2.sub.i.parallel.t.sub.i of said pairs of information (R1.sub.i, s.sub.i) and (R2.sub.i, t.sub.i) by a hash function h, and sends said hash values H1.sub.i and H2.sub.i to said bulletin board apparatus; and said Step (d) includes a step wherein said bulletin board apparatus makes public said hash values H1.sub.i and H2.sub.i, where i=1, 2, . . . , N, as commitments of said all users.

13. The method of claim 12, wherein: said Step (b) includes a step wherein said first quantitative competition apparatus: calculates a hash value HS.sub.w=h(Seq.sub.s,w) of said element concatenation Seq.sub.s,w by said hash function h; and sends said hash value HS.sub.w to said bulletin board apparatus; said Step (c) includes a step wherein said second quantitative competition apparatus: calculates a hash value HT.sub.w=h(Seq.sub.t,w) of said element concatenation Seq.sub.t,w by said hash function h; and sends said hash value HT.sub.w to said bulletin board apparatus; and said Step (d) includes a step wherein said bulletin board apparatus: makes public and compares said hash values HS.sub.w and HT.sub.w received from said first and second quantitative competition apparatuses; decides the presence or absence of a user having selected his intended value equal to or larger than said value V.sub.w, depending on whether said hash values HS.sub.w and HT.sub.w differ or equal; and determines said maximum intended value V.sub.MAX by changing said value w based on said decision.

14. The method of claim 12, wherein: said first and second quantitative competition apparatuses have stored therein a prime P made public previously by said bulletin board apparatus, said prime P being a prime such that P-1 has a large prime as its divisor, and said first and second quantitative competition apparatuses having selected a common integral value w; said Step (b) includes a step wherein said first quantitative competition apparatus: calculates a hash value HS.sub.w=h'(Seq.sub.s,w) of said element concatenation Seq.sub.s,w by a hash function h' that maps an arbitrary integer over a finite field uniquely and randomly; generates a random number RA,; calculates a hash value HA.sub.w=h(RA.sub.w.parallel- .HS.sub.w) of a concatenation RA.sub.w.parallel.HS.sub.w by said hash function h; calculates HS.sub.w.sup.RAw(mod P); and sends a pair (HA.sub.w, HS.sub.w.sup.RAw(mod P)) of said hash value HA.sub.w and said value HS.sub.w.sup.RAw(mod P) to said bulletin board apparatus; said Step (c) includes a step wherein said second quantitative competition apparatus: calculates a hash value HT.sub.w=h'(Seq.sub.t,w) of said element concatenation Seq.sub.t,w by a hash function h'; generates a random number RB.sub.w; calculates a hash value HB.sub.w=h(RB.sub.w.paral- lel.HT.sub.w) of a concatenation RB.sub.w.parallel.HT.sub.w by said hash function h; calculates HT.sub.w.sup.RBw(mod P); and sends a pair (HB.sub.w, HT.sub.w.sup.RBw(mod P)) of said hash value HB.sub.w and said value HT.sub.w.sup.RBw(mod P) to said bulletin board apparatus; and said Step (d) includes: a step wherein said first quantitative competition apparatus reads said HT.sub.w.sup.RBw(mod P) from said bulletin board apparatus, and calculates and sends (HT.sub.w.sup.RBw).sup.RAw(mod P) to said bulletin board apparatus; a step wherein said second quantitative competition apparatus reads said HS.sub.w.sup.RAw(mod P) from said bulletin board apparatus, and calculates and sends (HS.sub.w.sup.RAw).sup.RBw(mod P) to said bulletin board apparatus; and a step wherein said bulletin board apparatus: makes public and compares said (HS.sub.w.sup.RAw).sup.RBw(mod P) and (HT.sub.w.sup.RBw).sup.RAw(mod P) received from said first and second quantitative competition apparatuses; decides the presence or absence of a user having selected his intended value equal to or larger than said value V.sub.w, depending on whether said (HS.sub.w.sup.RAw).sup.RBw(mod P) and (HT.sub.w.sup.RBw).sup.RAw(mod P) differ or equal; and determines said maximum intended value V.sub.MAX by changing said value w based on said decision.

15. The method of claim 13 or 14, wherein: letting w.sub.min and w.sub.max represent variables of integers 1 to M, said first and second quantitative competition apparatuses have said value w in common as the maximum integer equal to or smaller than (w.sub.min+w.sub.max)/2=(1+M)/2 where w.sub.min=1 and w.sub.max=M; and said Step (d) includes a step wherein: w is substituted for said variable w.sub.max or w+1 is substituted for said variable w.sub.min, depending on the presence or absence of a user having selected his intended value equal to or larger than said value V.sub.w; said Steps (b) and (c) are repeated until w.sub.max=w.sub.min=MAX to obtain said minimum intended value V.sub.MAX corresponding to said value MAX; and upon each repetition of said Steps (b) and (c), said bulletin board apparatus makes public the results of calculation.

16. The method of claim 14, wherein each element of said M-element sequences of information s.sub.i and t.sub.i is a one-bit element.

17. The method of claim 14 or 16, said step (e) further comprising a step wherein said first and second quantitative competition apparatus send said bulletin board apparatus random numbers RA.sub.MIN and RB.sub.MIN, respectively, to make them public.

18. The method of any one of claims 11 to 14, wherein: L quantitative competition apparatuses are provided, said L being equal to or larger than 3; said Step (a) includes a step wherein when supplied with said value V.sub.vi, said each user apparatus generates L sequences of information s.sub.ik, where k=1, 2, . . . , L, said L sequences of information s.sub.ik being such that they are equal in all pieces of information corresponding to values equal to or greater than V.sub.1 and smaller than V.sub.vi but different in all pieces of information corresponding to values equal to or larger than V.sub.vi and equal to or smaller than V.sub.M and such that said value V.sub.vi can be detected when at least two sequences s.sub.ia and s.sub.ib of said L sequences of information s.sub.ik are known, where a.noteq.b; and said each user apparatus sends said L sequences of information s.sub.ik to a k-th quantitative competition apparatus; and wherein two of said L quantitative competition apparatuses conduct quantitative competition, and when one of said two quantitative competition apparatuses goes down, another normal one of the remaining quantitative competition apparatuses is used to continue said quantitative competition.

19. The method of claim 11, wherein said Step (a) includes a step wherein: said each user apparatus secretly sends seed values s'.sub.i and t'.sub.i as information corresponding to said two sequences of information s.sub.i and t.sub.i to said first and second quantitative competition apparatuses, respectively; letting vi represent the element number corresponding to said intended value V.sub.vi, said seed values s'.sub.i and t'.sub.i are determined by a one-way function F so that F.sup.d(s'.sub.i)=F.sup.d(t'.sub.i), where d=0, 1, . . . , M-vi, and F.sup.e(s'.sub.i)=F.sup.e(t'.sub.i), where e=M-vi+1, . . . , M-1; and said two sequences of information s.sub.i and t.sub.i are given by the following equations s.sub.i={s.sub.i,1=F.sup.M-1(s'.sub.i), s.sub.i,2=F.sup.M-2(s'.sub.i), . . . , s.sub.i,vi-1=F.sup.M-vi+1(s'.sub.i- ), s.sub.i,vi=F.sup.M-vi(s'.sub.i), . . . , s.sub.i,M-1=F(s'.sub.i), s.sub.i,M=s'.sub.i} and t.sub.i={t.sub.i,1=F.sup.M-1(t'.sub.i), t.sub.i,2=F.sup.M-2(t'.sub.i), . . . , t.sub.i,vi-1=F.sup.M-vi+1(t'.sub.i- ), t.sub.i,vi=F.sup.M-vi(t'.sub.i), . . . , t.sub.i,M-1=F(t'.sub.i), t.sub.i,M=s'.sub.i}.

20. The method of claim 11, wherein said Step (a) includes: a step wherein said each user apparatus generates initial random numbers R1.sub.i, R2.sub.i, ca.sub.b, cb.sub.i, s.sub.i,M+1 and t.sub.i,M+1; and a step wherein said each user apparatus: sets an initial value of m at M, and performs, with respect to the element number vi corresponding to said intended value V.sub.vi, the following calculations s.sub.i,m=h(s.sub.i,m+1.parallel.h.sup.M+1-m(ca.sub.i).parallel.h.sup.M+1- -m(cb.sub.i)) and t.sub.i,m=h(t.sub.i,m+1.parallel.h.sup.M+1-m(ca.sub.i).p- arallel.h.sup.M+1-m(cb.sub.i)) sequentially for m--M, M-1, . . . , vi to provide subsequences s.sub.i,m.noteq.t.sub.i,m; calculates a sequence element for m=vi-1 s.sub.i,m=t.sub.i,m=h(s.sub.i,m-1.parallel.t.sub.i,m-1- .parallel.h.sup.M+1-m(ca.sub.i).parallel.h.sup.M+1-m(cb.sub.i)) and a sequence element for m=vi-2, vi-3, . . . , 0 s.sub.i,m=t.sub.i,m=h(s.sub.- i,m-1.parallel.h.sup.M+1-m(ca.sub.i).parallel.h.sup.M+1-m(cb.sub.i)) to provide subsequences s.sub.i,m=t.sub.i,m; and obtains sequences of said elements s.sub.i,m and t.sub.i,m as said sequences of information s.sub.i and t.sub.i, and a value s.sub.i,0 for m=0; and wherein said Step (a) further includes: a step wherein said each user apparatus encrypts R1.sub.i and s.sub.i={s.sub.i,1, s.sub.i,2, . . . , s.sub.i,M} by an encryption function E.sub.A, sends the resulting E.sub.A(s.sub.i.parallel- .R1.sub.i) to said first quantitative competition apparatus, encrypts R2.sub.i and t.sub.i={t.sub.i,1, t.sub.i,2, . . . , t.sub.i,M} by an encryption function E.sub.B, and sends the resulting E.sub.B(t.sub.i.parallel.R2.sub.i) to said second quantitative competition apparatus; and a step wherein said each user apparatus sends H1.sub.i=h(s.sub.i.parallel.R1.sub.i), H2.sub.i=h(t.sub.i.parallel.R2.sub- .i), s.sub.i,0, h.sup.M+1(ca.sub.i) and h.sup.M+1(cb.sub.i) to said bulletin board to make them public.

21. The method of claim 1 or 11, wherein said Step (a) includes a step wherein said each user apparatus: generates a random number ri; determines two pieces of random information a.sub.i and b.sub.i, where r.sub.i=a.sub.i*b.sub.i, said symbol * being a predetermined common operator; sends said pieces of random information a.sub.i and b.sub.i to said first and second quantitative competition apparatuses, respectively; hashes said pieces of random information ai and bi by a hash function h; and sends hash values h(a.sub.i), h(b.sub.i) and h(V.sub.vi.parallel.r.su- b.i) to said bulletin board apparatus; and said Step (e) includes a step wherein said first and second quantitative apparatuses send said pieces of random information aj and b.sub.j to said bulletin board apparatus to make them public, and said each user apparatus verifies said made-public hash values h(a.sub.j) and h(b.sub.j) by using said made-public random information a.sub.j and b.sub.j and further verifies whether h(V.sub.vj.parallel.r.sub.i)=h(V.sub.vj.parallel.a.sub.j*b.sub.j).

22. A method by which said each user apparatus in said quantitative competition method of claim 1 registers his intended value V.sub.vi selected from among M integral values defined by upper and lower limits V.sub.M and V.sub.1 for comparison, said M being an integer equal to or larger than 2, said method comprising the steps of: (a) responding to the input of said intended value V.sub.vi to generate two M-element sequences of information s.sub.i and t.sub.i whose corresponding elements equal at values in the range from said value V.sub.i or larger to said value V.sub.vi or smaller and differ at values in the range from said value V.sub.vi or larger to said value V.sub.M or smaller; (b) responding to the input of said two M-element sequences of information s.sub.i and t.sub.i to calculate one-way functions for said sequences of information s.sub.i and t.sub.i and send calculation results H1.sub.i and H2.sub.i to a bulletin board apparatus; and (c) sending said sequence of information s.sub.i to a first quantitative competition apparatus, said sequence of information t.sub.i to a second quantitative competition apparatus, and said H1.sub.i and H2.sub.i to said bulletin board apparatus.

23. A method by which said each user apparatus in said quantitative competition method of claim 11 registers his intended value V.sub.vi selected from among M integral values defined by upper and lower limits V.sub.M and V.sub.1 for comparison, said M being an integer equal to or larger than 2, said method comprising the steps of: (a) responding to the input of said intended value V.sub.vi to generate two M-element sequences of information s.sub.i and t.sub.i whose corresponding elements differ at values in the range from said value V.sub.1 or larger to said value V.sub.vi or smaller and equal at values in the range from a value V.sub.vi+1 or larger to said value V.sub.M or smaller; (b) responding to the input of said two M-element sequences of information s.sub.i and t.sub.i to calculate one-way functions for said sequences of information s.sub.i and t.sub.i and send calculation results H1.sub.i and H2.sub.i to a bulletin board apparatus; and (c) sending said sequence of information s.sub.i to a first quantitative competition apparatus, said sequence of information t.sub.i to a second quantitative competition apparatus, and said H1.sub.i and H2.sub.i to said bulletin board apparatus.

24. A user apparatus for use in said quantitative competition method of claim 1, comprising: a storage part having stored therein M integral values defined by upper and lower limits V.sub.M and V.sub.1 for comparison; input means for inputting an intended value V.sub.vi equal to or larger than said value V.sub.1 and equal to or smaller than said value V.sub.M; a sequence-of-information generating part supplied with said values V.sub.vi, V.sub.1 and V.sub.M, for generating and outputting two M-element sequences of information s.sub.i and t.sub.i whose corresponding elements equal at values in the range from said lower-limit value V.sub.1 or larger to said intended value V.sub.vi or smaller and differ at values in the range from said intended value V.sub.vi or larger to said upper-limit value V.sub.M or smaller, or two M-element sequences of informnation s.sub.i and t.sub.i whose corresponding elements differ at values in the range from said lower-limit value V.sub.1 or larger to said intended value V.sub.vi or smaller and equal at values in the range from a value V.sub.vi+1 or larger to said upper-limit value V.sub.M or smaller, said M being the number of values selectable as said intended value V.sub.vi equal to or larger than said value V.sub.1 and equal to or smaller than said value V.sub.M; a one-way function calculating part supplied with said sequences of information s.sub.i and t.sub.i, for calculating one-way functions for said sequences of information s.sub.i and t.sub.i and for outputting calculation results H1.sub.i and H2.sub.i; and a transmitting part for sending said sequence of information s.sub.i to a first quantitative competition apparatus, said sequence of information t.sub.i to a second quantitative competition apparatus, and said H1.sub.i and H2.sub.i to a bulletin board apparatus.

25. A user apparatus for use in said quantitative competition method of claim 11, comprising: a storage part having stored therein M integral values defined by upper and lower limits V.sub.M and V.sub.1 for comparison, said M being an integer equal to or larger than 2; input means for inputting an intended value V.sub.vi equal to or larger than said value V.sub.1 and equal to or smaller than said value V.sub.M; a sequence-of-information generating part supplied with said values V.sub.vi, V.sub.1 and V.sub.M, for generating and outputting two M-element sequences of information s.sub.i and t.sub.i whose corresponding elements differ at values in the range from said lower-limit value V.sub.1 or larger to said intended value V.sub.vi or smaller and equal at values in the range from a value V.sub.vi+1 or larger to said upper-limit value V.sub.M or smaller; a one-way function calculating part supplied with said sequences of information s.sub.i and t.sub.i, for calculating one-way functions for said sequences of information s.sub.i and t.sub.i and for outputting calculation results H1.sub.i and H2.sub.i; and a transmitting part for sending said sequence of information s.sub.i to a first quantitative competition apparatus, said sequence of information t.sub.i to a second quantitative competition apparatus, and said H1.sub.i and H2.sub.i to a bulletin board apparatus.

26. A quantitative competition apparatus for use in a quantitative competition method of claim 1 or 11, comprising: a receiving part for receiving from each user apparatus a sequence of information consisting of elements of the same number M as that of values selectable as an intended value V.sub.vi in the range of between lower-limit and upper-limit values V.sub.1 and V.sub.M, and for receiving an integral value w from a bulletin board apparatus; a storage part for storing said sequence of information received from said each user apparatus; a one-way function calculating part supplied with w-th elements of said sequences of information received from users, for calculating and outputting one-way functions for concatenations of said w-th elements; and a transmitting part for sending said calculated one-way functions to said bulletin board apparatus.

27. A competition method by a quantitative competition apparatus for use in said quantitative competition method of claim 1 or 11, said method comprising the steps of: (a) receiving, from each user apparatus i, where =1, 2, . . . , N, an M-element sequence of information s.sub.i={s.sub.i,1 s.sub.i,2, . . . , s.sub.i,M} as information representing an intended value V.sub.vi selected from among M values in the range of between lower-limit and upper-limit values V.sub.1 and V.sub.M; (b) receiving an integral value w from a bulletin board apparatus; (c) inputting a w-th element s.sub.i,w of said sequence of information si received from said each user apparatus and calculating a one-way function for a concatenation of such input w-th elements s.sub.i,w; and (d) sending said calculated one-way function to said bulletin board.

28. A quantitative competition apparatus for use in said quantitative competition method of claim 1 or 11, said apparatus comprising: a receiving part for receiving from each user apparatus a sequence of information consisting of elements of the same number M as that of values selectable as an intended value V.sub.vi in the range of between lower-limit and upper-limit values V.sub.1 and V.sub.M, and for receiving an integral value w from a bulletin board apparatus; a storage part for storing said sequence of information received from said each user apparatus; a one-way function calculating part supplied with w-th elements of said sequences of information received from users, for calculating and outputting one-way functions for concatenations of said w-th elements; and a transmitting part for sending said calculated one-way functions to said bulletin board apparatus.

29. A computer program for executing the procedure to be followed by a user apparatus in a quantitative competition method of claim 1 or 11, said program comprising the steps of: responding to an intended value V.sub.vi selected from among integral values defined by upper-limit and lower-limit values V.sub.1 and V.sub.M for comparison to generate two M-element sequences of information s.sub.i and t.sub.i whose corresponding elements equal at values in the range from said lower-limit value V.sub.1 or larger to said intended value V.sub.vi or smaller and differ at values in the range from said intended value V.sub.vi or larger to said upper-limit value V.sub.M or smaller, or two M-element sequences of information s.sub.i and t.sub.i whose corresponding elements differ at values in the range from said lower-limit value V.sub.1 or larger to said intended value V.sub.vi or smaller and equal at values in the range from a value V.sub.vi+1 or larger to said upper-limit value V.sub.M or smaller, said M being the number of values selectable as said intended value V.sub.vi equal to or larger than said value V.sub.1 and equal to or smaller than said value V.sub.M; calculating one-way functions for said sequences of information s.sub.i and t.sub.i and for outputting calculation results H1.sub.i and H2.sub.i; and sending said sequence of information s.sub.i to a first quantitative competition apparatus, said sequence of information t.sub.i to a second quantitative competition apparatus, and said H1.sub.i and H2.sub.i to a bulletin board apparatus.

30. A recording medium on which there is recorded said computer program of claim 29.